As featured in The Wall Street Journal, Money Magazine, and more!
     

My eBay Account Was Hacked!

This article was written by in Internet. 13 comments.


Yesterday I received an email apparently from eBay, informing that my account was used for malicious purposes, and I should change my password post-haste. I’m very skeptical of emails apparently from eBay. Normally I delete them without thinking. But this email managed to catch my attention. Here’s a portion of the text:

It appears your account was accessed by an unauthorized third party and used to send unsolicited emails to other community members, including email offers to sell items outside of eBay. It does not appear that your account was used to list or bid on any items. Additionally, the email address on your account may have been tampered with, which is why you may not have received any emails about this activity.

At this time we have taken several steps to secure your eBay account. Rest assured that your credit card and banking information is safe on the eBay site. This information is kept encrypted on a secure server and cannot be viewed by anyone.

eBay account hackedClick on the screenshot to see that the email is authentic looking. I’ve removed all the naughty bits to protect my identity. To check the email’s authenticity, I tried to log into eBay in a new browser window — not by clicking on any links in the email.

I was unable to log in, as the email explained further. eBay had changed my password after it detected malicious activity. I reset my password after verifying my identity and logged in. In my message inbox was the same email I received externally. Apparently, my account had been used to send “questions” to the hosts of a variety of auctions pointing them to some external website. I checked my sent messages folder within eBay, and I saw 25 messages sent on July 2 to a number of other eBay users.

The account was not used to bid on any items, so I didn’t have to worry about that. I did go through and change all of my passwords as the message from eBay suggested. I’m not happy with this situation, and after being conditioned that all email appearing to be from eBay is most likely spam or someone trying to trick me into entering my password somewhere, I could easily have overlooked this warning.

There are several ways my password could have been used by a hacker. There’s the slight possibility I clicked on one of those fake eBay emails. I find that really hard to believe as I am very careful about such things. One of my computers may have a keylogging program installed on it. My home computer is protected by AVG, which has never discovered any malicious programs running, so either that’s not the answer, or AVG Anti-Virus Free has failed.

Most likely, the password was guessed through software designed to do such hacking. I could have chosen a stronger password to use.

If there’s anything to take away from my experience, it’s that not every email from eBay is fake, strong passwords aren’t strong enough, and even rarely-used accounts with unimpressive stats are targets.

Published or updated July 3, 2007. If you enjoyed this article, subscribe to the RSS feed or receive daily emails. Follow @ConsumerismComm on Twitter and visit our Facebook page for more updates.

Email Email Print Print
avatar
Points: ♦127,485
Rank: Platinum
About the author

Luke Landes, also known as Flexo, is the founder of Consumerism Commentary. He has been blogging and writing for the internet since 1995 and has been building online communities since 1991. Find out more about him and follow Luke Landes on Twitter. View all articles by .

Read related articles from Consumerism Commentary

{ 13 comments… read them below or add one }

avatar Chuck

I don’t think I would have ever caught that since I usually automatically just delete any Ebay email as phishing. Probably would have gone unnoticed until I tried to login.

You may want to try pairing up AVG with some anti-spyware tools like Search & Destroy, SpySweeper, and AdAware just to be sure.

Reply to this comment

avatar sam

Sounds like you do have a keylogger or tracker on your computer the avg program you have wont catch this type of thing go to avg homepage and get their trial of the new avg anti malware i had the normal avg and i had so many viruses on my computer i didn’t know what to do and i contacted avg and they said for me to visit their home page and download their trials and see which one helped and the malware was able to rid my computer of everything that the normal avg didn’t detected i hope this helps you out :)

Reply to this comment

avatar Nathan Whitehead

I recommend closing your Ebay and PayPal accounts (I did recently). Ebay has tremendous security problems, I wouldn’t (and don’t) trust them with my money anymore. My account was hacked in a similar way to yours. And then the winning bidder in my auction was a Nigerian scam. I have a recent entry in my blog with more details. Ebay is not worth the hassle and security risk.

I now use craigslist for buying and selling junk (cash in person). All the small online merchants take credit cards nowadays, you don’t really need a PayPal account except for Ebay.

Reply to this comment

avatar tinyhands

If you wanted to know if the eBay email was authentic, you can read the complete headers to see if it was really sent by them or spoofed.

Reply to this comment

avatar Stuart

Another trick you should look out for with stuff like this is phishers will email you with something like this, and, courteous people that they are, will provide a link that appears to go directly to the login page of your ebay account so you can quickly change your password. But instead, the link goes to their site, so when you login to change your password they’ve got your username and password.

Reply to this comment

avatar Eric

You should purchase the One Time Password utility that PayPal sells for $5 for more security. I think business accounts get it for free.

Reply to this comment

avatar Lazy Man and Money

Yes, this is indeed quite scary. I wouldn’t have caught on for another 2 months when I next decided log into Ebay and found a problem.

Reply to this comment

avatar Chris

How do you think they got it, by hacking ebay, from a phisher email, or by just guessing your password with some hacking software?

There’s a neat little tool from Microsoft.com that I always use when creating passwords, a “Password Checker”, here’s a link! https://www.microsoft.com/protect/yourself/password/checker.mspx

Reply to this comment

avatar dimes

No fun. I forgot I even have an ebay account until they sent me a message reminding me.

Reply to this comment

avatar dong

I always quickly check most emails even if I think it might be phishy just in case. Stuff like this makes me want to have secureid for everything.

Reply to this comment

avatar Valerie

Take a look at Roboform.com. This password protection program is superb! It encrypts your passwords and enters them automatically. It also will create random passwords for you. You can lock it completely by password to the program itself. It eliminates all possibility of a keyboard spy program. It comes in two versions…one for a desktop, one you can run on your flashdisk and carry with you…use it on ANY computer, and it doesn’t leave any data on the computer on which you use it.

Reply to this comment

avatar Bags

I received the same email about a year ago. The most frustrating thing is that eBay won’t tell you how they know your account was hacked because they don’t want hackers finding out how to get around their tactics. The problem is that you as the end user can’t figure out how to better prevent the problem it in the future other than guessing.

Reply to this comment

avatar firefly

The same happened to me today. I religiously use AVG, Search & Destroy on my PC’s as well as scan daily with Malwarebytes’ Anti-Malware. The funny thing is I haven’t logged into my ebay account for a looooong time so I suspect that this hack was not in any way due to my negligence. Makes me wonder…

Reply to this comment

Leave a Comment

Connect with Facebook

Note: Use your name or a unique handle, not the name of a website or business. No deep links or business URLs are allowed. Spam, including promotional linking to a company website, will be deleted. By submitting your comment you are agreeing to these terms and conditions.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Previous post:

Next post: