Yesterday I received an email apparently from eBay, informing that my account was used for malicious purposes, and I should change my password post-haste. I’m very skeptical of emails apparently from eBay. Normally I delete them without thinking. But this email managed to catch my attention. Here’s a portion of the text:
It appears your account was accessed by an unauthorized third party and used to send unsolicited emails to other community members, including email offers to sell items outside of eBay. It does not appear that your account was used to list or bid on any items. Additionally, the email address on your account may have been tampered with, which is why you may not have received any emails about this activity.
At this time we have taken several steps to secure your eBay account. Rest assured that your credit card and banking information is safe on the eBay site. This information is kept encrypted on a secure server and cannot be viewed by anyone.
Click on the screenshot to see that the email is authentic looking. I’ve removed all the naughty bits to protect my identity. To check the email’s authenticity, I tried to log into eBay in a new browser window — not by clicking on any links in the email.
I was unable to log in, as the email explained further. eBay had changed my password after it detected malicious activity. I reset my password after verifying my identity and logged in. In my message inbox was the same email I received externally. Apparently, my account had been used to send “questions” to the hosts of a variety of auctions pointing them to some external website. I checked my sent messages folder within eBay, and I saw 25 messages sent on July 2 to a number of other eBay users.
The account was not used to bid on any items, so I didn’t have to worry about that. I did go through and change all of my passwords as the message from eBay suggested. I’m not happy with this situation, and after being conditioned that all email appearing to be from eBay is most likely spam or someone trying to trick me into entering my password somewhere, I could easily have overlooked this warning.
There are several ways my password could have been used by a hacker. There’s the slight possibility I clicked on one of those fake eBay emails. I find that really hard to believe as I am very careful about such things. One of my computers may have a keylogging program installed on it. My home computer is protected by AVG, which has never discovered any malicious programs running, so either that’s not the answer, or AVG Anti-Virus Free has failed.
Most likely, the password was guessed through software designed to do such hacking. I could have chosen a stronger password to use.
If there’s anything to take away from my experience, it’s that not every email from eBay is fake, strong passwords aren’t strong enough, and even rarely-used accounts with unimpressive stats are targets.
Published or updated July 3, 2007.