Update on eBay Security Issue

Subscribe to our 2 FREE Newsletters!

Web AuctionBytes

Home

Subscribe

Blog

Letters to Editor

Podcasts

Forums

AuctionBytes TV

ABU Back Issues

Sponsor

COOL TOOLS

Calendar

eBay Fee Calculator

Collectors' Links

eBay Promo History

Bookshelf

Fraud Resources

Auction Site Fees

Auction Management

Payment Services

Storefronts Chart

Sniping Chart

Consignment Services

Drop-Off Store Laws

Ecommerce Resources

Photo Tips

Marketing Inserts

Yellow Pages

Classifieds

AUCTIONBYTES

Our Writers

Write For Us

Partners

Press

Advertising

About Us

Link To Us

AuctionBytes Blog
News and insight focusing on
ecommerce and the online auction industry
by Ina Steiner, Editor of AuctionBytes.com

September 25, 2007

Update on eBay Security Issue

By: Ina Steiner

Tue Sept 25 2007 14:07:47

eBay's Trust & Safety board remains closed after eBay took it down this morning when threads began appearing listing what appeared to be confidential user information. (See article here.)

We've contacted several people whose information appeared to be exposed in an effort to verify whether the information in the postings were correct. Multiple people have confirmed their address was correct. One person said the credit card number did not belong to him, and others have yet to get back to us to confirm their credit card number one way or the other.

Users have speculated that Vladuz may be behind the incident. While the posts did not contain the name Vladuz, they contained a line, "SGI Inc. - emocnI gnitareneG rof snoituloS." The letters are Solutions of Generating Income spelled backwards. When the Romanian hacker Valduz posted in February on the eBay boards, one of the names he used was Vladuzsgi.

eBay said at the time that while Vladuz had obtained access to a "handful" of customer service representatives' email accounts, he never hacked into the site or accessed any customer data.

We are still waiting to hear from eBay about this morning's incident.

Update: 9/25/07 2:45 pm Eastern
eBay's Chatter blog acknowledged the incident at 2:15 and stated that the credit card information that appeared in the postings was not linked to financial information on file for those users at eBay or PayPal.

Comments (72) | Leave Comment | Permalink

Readers Comments

Update on eBay Security Issue

by: dimes

Wed Sep 26 15:30:06 2007

Giovanni, you might want to contact youtube and ask for the specific reason your public service video was pulled.

If they tell you it was done at eBay request and has anything to do with a copyright violation for displaying portions of eBay screens, contact the Electronic Frontier Foundation and ask for their advice about filing a DMCA counterclaim. If they think you’ve got a valid case, they’ll make sure that everyone and their brother knows that eBay appears to be trying to suppress evidence of a security breach.

http://www.eff.org/

Update on eBay Security Issue

by: GiovanniV666

Wed Sep 26 15:47:21 2007

Dimesy, I am not a lawyer or an orator and often have difficulty exprssing myself, furthermore I am not a typist, as you can see.
The facts are clear, that was removed for no reason , and if there had been a valid reason, I would have/should have been notified. I really do not need the stress of additional canned email responses from another huge ivory tower.
If anyone else cares to pick up that torch, be my guest.
It is now time to adapt and keep moving.
BTW, I was born without a "style gland"
:)

Update on eBay Security Issue

by: dimes

Wed Sep 26 16:41:41 2007

The video is still available for viewing here:

http://www.firemeg.com/

Update on eBay Security Issue

by: JoeS

Wed Sep 26 17:33:47 2007

Ebay's actions (sweeping it under the rug and such) is all about protecting the investors and the stock price.

What about protecting your users Ebay???

Update on eBay Security Issue

by: DOC

Thu Sep 27 13:47:50 2007

Here is the video and the comments screen captured just before it was pulled..

http://www.ebaymotorssucks.com/pulled-ebay-hack-video.
htm

Update on eBay Security Issue

by: Melody

Thu Sep 27 17:24:14 2007

This was just posted on ebay thread called IT NEVER HAPPENED on the Trust and Safety Board
It is a conversation with live help concerning the breach.
Post# 23
8:12:24 AM System
Steven S. S. has joined this session!
8:12:24 AM System
Connected with Steven S. S.
8:12:29 AM Steven S. S.
Hello, thank you for waiting and welcome to eBay Live Help! My name is Steven. If you’re a registered member, may I please start by having you confirm your User ID and first name?
8:12:43 AM jackie9978.
Hi, it's Jackie, Jackie9978.
8:13:19 AM Steven S. S.
Hi! Jackie. How are you today?
8:13:25 AM jackie9978
I've been better.
8:13:32 AM jackie9978
Are you ready for my question?
8:14:11 AM jackie9978
What protections is EBAY taking now that so many names and credit card numbers were allowed to be posted on one of your discussion boards? I know you want it to all disappear, but is EBAY safe or not?
8:14:19 AM Steven S. S.
O Sure!
8:15:39 AM Steven S. S.
May I have the link of the page you are referring to?
8:15:45 AM jackie9978
And, Steven S.S., why aren't you demanding that your ''boss'' bot issue a press release about this event that is causing many people to question the safety of ebay.
8:15:53 AM jackie9978
a link? You don't even know what happened on ebay?
8:16:56 AM Steven S. S.
I just need to make sure that the page you are viewing is of eBay.
8:18:08 AM jackie9978
Steven S. S., are you denying that EBAY allowed this awful thing to happen?
8:18:22 AM jackie9978
is EBAY safe or is EBAY unsafe?
8:19:49 AM Steven S. S.
Please be assured that eBay is a safe online trading site ad doesn't share any personal information.
8:20:13 AM jackie9978
Then, can you explain what happened yesterday on your Trust & Safety Discussion Board, please?
8:22:09 AM Steven S. S.
Sure.
8:23:59 AM Steven S. S.
Due to an exploit of a feature on the PayPal site, some eBay users’ contact information may have been exposed. As soon as we learned of this exploit, we worked very quickly to shut it down.
8:24:26 AM Steven S. S.
This occurred when eBay users clicked on the PayPal account signup URL from the eBay Web site. Third parties may have been able to enter an eBay ID and get the user’s contact information. [IF PRESSED, this information includes name, e-mail address, shipping information and phone numbers]
8:25:04 AM Steven S. S.
Information accessed did not include financial information like credit card numbers or bank account numbers. This information is kept under the highest levels of encryption on eBay’s and PayPal’s secure servers.
8:25:28 AM jackie9978
Then, why did that information appear on your Trust & Safety discussion board?
8:27:49 AM Steven S. S.
eBay and PayPal are very safe ways to buy and sell online. We have more than 2,000 professionals working to ensure the trust and safety of our systems every day. Because PayPal doesn’t share users’ financial information, privacy is built into the service.
8:28:06 AM jackie9978
Well, that isn't my question. You claim something never happened and it certainly did happen.
8:28:25 AM jackie9978
And, shame on you for trying to hide it. Just admit there was a mistake and FIX it so it does not happen again.
8:28:48 AM jackie9978
This wasn't a PAYPAL issue, this information was posted on YOUR boards.
8:30:02 AM Steven S. S.
As I said that it is pulled from there and it is possible that these unauthorized 3rd parties have posted this on the discussion board.
8:30:40 AM jackie9978
But, you said it never showed up on your website, which is false. Which is it? Was it a PAYPAL glitch or did EBAY permit this personal information to appear on your discussion boards?
8:33:14 AM Steven S. S.
It was due to a glitch as I mentioned.
8:33:29 AM jackie9978
lol, a ''glitch''.
8:34:01 AM jackie9978
So, Steven S. S., at first you denied it happened, then you called it a glitch.
8:34:04 AM Steven S. S.
This issue occurred when eBay users clicked on the PayPal account signup URL from the eBay Web site it was posted on the discussion board. The feature is designed to facilitate PayPal registration from eBay.
8:34:35 AM jackie9978
So, you're claiming that everyone who had their personal information posted did so by ''clicking a URL'' from a discussion board?
8:35:25 AM Steven S. S.
Not from the discussion board but when eBay users clicked on the PayPal account signup URL from the eBay Web site it was posted on the discussion board.
8:35:51 AM jackie9978
I see, so you're blaming PAYPAL for personal information of your users being posted on your discussion board?
8:36:00 AM Steven S. S.
Which I already cleared to you earlier and I didn't said it has not happened.
8:36:14 AM jackie9978
Steven S.S. doesn't that appear that you're simply passing the buck? Refusing to accept responsibility?
8:36:14 AM Steven S. S.
I just asked you the link of the page on which you saw it.
8:36:30 AM jackie9978
I saw it on Ebay's Trust & Safety discussion board approximately 24 hours ago.
8:36:41 AM jackie9978
That's your board, Steven S.S. not Paypal.
8:37:08 AM Steven S. S.
We are not playing a blame game but due to a glitch on the link it got posted on the discussion board.
8:37:12 AM jackie9978
You DID remove it, but the fact remains, EBAY permitted this information to be posted. And many people, myself included, are questioning the safety of EBAY.
8:37:30 AM jackie9978
So, Paypal redirected this information to your discussion board........
8:37:43 AM jackie9978
Steven S.S. that sounds so bizarre, is that the official story?
8:38:55 AM Steven S. S.
It was a glitch in the link on the eBay website link for PayPal because of which it got posted and which I already explained you many times.
8:39:15 AM jackie9978
Okay, it was a glitch on the EBAY link not Paypal now? Gotcha.
8:39:48 AM Steven S. S.
It's not that eBay knowingly allowed this to happen.
8:39:50 AM jackie9978
Steven S.S., don't you think EBAY should alert everyone that this ''glitch'' happened? And that you're taking precautions that it doesn't happen again?
8:42:35 AM Steven S. S.
I agree with you. However, it has been removed from the discussion board and our team is working on it.
8:42:58 AM Steven S. S.
Any update on this will be put on the announcement board to aware our members.
8:43:09 AM jackie9978
Steven S.S. acting as if it never happened isn't putting any faith into Ebay, but thank you for your time. Have a nice day.
8:43:40 AM Steven S. S.
You're welcome!
8:43:45 AM Steven S. S.
Is there anything else I can help you with today?
8:43:50 AM jackie9978
That will be all.

Update on eBay Security Issue

by: retired_seller

Fri Sep 28 00:01:31 2007

I stopped selling about a year ago. One of my accounts appears on the list of hacked accounts. The credit card info matches the info I used when I set up my seller account. Fortunately it's no longer valid.

Ebay asks for credit card info when you start to sell but apparently does not ever check again to see if the info is still valid. Therefore, the numbers posted by the hacker will be a mix of currently and formerly valid credit card numbers.

Also, I have now been sanctioned from posting to the discussion boards. I was slapped six times for discussing hex codes and other encryption issues. I was slapped four times for telling people that the best protection is to never ever click on a link in an email. I was slapped six times for quoting or mentioning the names of posters whom I have been told have also been sanctioned. Not bad for a mornings word, huh?

Update on eBay Security Issue

by: Louise

Fri Sep 28 09:53:34 2007

I am so frustrated by not having a verified answer on whether or not any of the credit card IDs are valid or not.

I don't believe eBay, but I wish Auctionbytes would do a follow-up now that people have had time to cancel the credit card numbers posted if they were good numbers in the first place. I want to hear from an independent source that they were able to verify that a valid number was posted.

I have now seen 4 posters report they were on the list and the numbers were valid. And I would like to believe every one of them, but one of the most virulent anti-eBay posters has admitted to having 24 eBay IDs and considers Vladuz to be Robin Hood's first cousin, so I can't fully let go of my reservations.

The post above sounds totally credible until that last paragraph and then it just starts to look like another person with eBay issues.

I have a particular problem with this statement: ''I was slapped four times for telling people that the best protection is to never ever click on a link in an email.'' I'm sorry, but you won't get slapped for that. I can see slaps coming at you for mentioning sanctioned users, and possibly for the code discussion - although they would have to label it differently, but not for advice that eBay itself gives out. Not multiple times. Not even if you have a troll following you around reporting everything you post. You got reported for something else, or there is something wrong with your story.

I have posted lists of names, articles from Auctionbytes, little dialogues with Vladuz and have thrown the Vladuz name out there over and over again and I have yet to be slapped for any of it, although the two lists of names were pulled.

And don't tell me about the guy with the ipod purchase - he stated that the number he gave was ultimately denied, so his story just ended in a big question mark too. I'm getting tired of not being able to get past that question mark.

Update on eBay Security Issue

by: bi08

Fri Sep 28 11:44:54 2007

....and today there was evidence of a new hacking. The Me page of eBay employee Scott Noyce was hacked and all his personal info was listed.

In addition, a link from the hacked me page led to a site which accused eBay of maliciously targeting and harassing their site because they had been critical of ebay in the past.

The Me page (and Trust and Safety board thread) have now been removed, though the Me page was up for at least 4 hours and the thread for an hour.

http://www.shenemanfamily.com/vlad2.html has been updated to show the latest compromised info

Update on eBay Security Issue

by: dimes

Fri Sep 28 13:18:24 2007

A hacker with a grudge must be the most dangerous kind of intruder.

I can see why he'd target the eBay employee who emailed that German website demanding that it remove its Vladuz page.

Wonder whose info we'll be seeing next.

Update on eBay Security Issue

by: vladuz

Fri Sep 28 14:03:05 2007

who's information would you like to see? ;p

Update on eBay Security Issue

by: helix

Fri Sep 28 17:20:20 2007

Hi Vladuz!
Just an idea.. the credit card and ccv2
numbers are correct?
But they are not on there right place?
Not belong to the respective account?

Update on eBay Security Issue

by: 0ctavia

Sat Sep 29 06:10:01 2007

Helix ... I'm not sure if that was Vladuz who posted the comment before yours as I received a message from Vladuz (definitely the real one) on Pheebay.com asking me to contact Ina re a message on here from "Vladuz", wanting it removed because he is not the author.
I think you are also a member of Pheebay.com so perhaps you would like to post a message in this thread for Vladuz http://www.pheebay.com/forums/viewtopic.php?t=3048

Update on eBay Security Issue

by: 0ctavia

Sat Sep 29 06:11:41 2007

Made it easier, you can click on my name to get to the thread :-)

Update on eBay Security Issue

by: 0ctavia

Sat Sep 29 06:13:06 2007

That didn't seem to work :p

Update on eBay Security Issue

by: louise

Sat Sep 29 08:54:11 2007

"...I received a message from Vladuz (definitely the real one) on Pheebay.com"

Octavia, I know you've got some loser on your site calling himself Vladuz and you and your regulars fawn on him in rather pathetic fashion every time he drops in on you, but how on earth do you know he's the real one?

Update on eBay Security Issue

by: chopsbuster

Sat Sep 29 14:36:17 2007

This was eBay's spiel on Wednesday, in 'The Chatter' blog:

''Each of these accounts was the victim of an Account Take Over, most likely through a successful phishing campaign. eBay has been in contact by phone with many of these members, and there is a My Messages email going out to impacted accounts to further our reach.''

That explanation was plainly untruthful. If eBay honestly believed that the accounts had been hijacked, those accounts (all 1,200 of them!) would have been shut down immediately until they could be restored to their rightful owners. That has always been eBay's policy in the event of account takeovers, as eBay's spokesman Hani Durzy told AuctionBytes on Feb. 23rd (http://www.auctionbytes.com/cab/abn/y07/m02/i23/s01), and indeed it's the only policy that makes sense. To email a hijacked account, so that the email will be received by the hijacker rather than the true owner, is obviously absurd... yet that's what eBay claims to have done this week.

Join the discussion here: http://www.thecarwashlive.com/forums/showthread.php?t=6083

Update on eBay Security Issue

by: JC

Sat Sep 29 18:03:13 2007

I received a message from Vladuz (definitely the real one) on Pheebay.com asking me to contact Ina re a message on here from "Vladuz", wanting it removed

I find this hilarious. The big, bad hacker has to have someone ask to have the post removed? Why can't he remove it himself - he is a "hacker" after all...

Update on eBay Security Issue

by: sandypurins

Sun Sep 30 04:26:46 2007

vladuz, My eBay ID is sandypurins... can you change my eBay ''me'' page or post my personal information on the eBay PayPal board?

Update on eBay Security Issue

by: GiovanniV666

Sun Sep 30 09:47:28 2007

:)

http://www.youtube.com/watch?v=7ZLEMuFwl_Q

Click to view more comments
1 2 3 4 [Next Page]

Recent Posts

Recent Comments

Archives


Site Index Copyright 1999-2009. Steiner Associates LLC. All rights reserved. Privacy Policy.