Wednesday, September 26, 2007

Has YOUR ebaY Account Been Compromised?

On Tuesday 25 Sep 2007 at 5:42 AM ebaY time, a hacker posted 29 to 50 pages of ebaY user information on the ebaY Trust and Safety discussion board (at approx 40 threads per page that is between 1100 and 2000 user IDs). The information was posted by using the user ID and account of the user whose information was posted, and included the ebaY user ID, email address, phone, name, street, city, state, zip, country, feedback info, what site they registered on, user status, powerseller status, payment method they used to pay ebaY, credit card number (with expiration date), credit card CVV2 code (the three digit security code on the back of the card), whether they are id verified, if they have an ebaY store and which site that is registered on, and if they are PayPal verified or not verified. The threads that contained the info also had a signature at the bottom of the post - SGI Inc. - emocnI gnitareneG rof snoituloS (Solutions for Generating Income spelled backwards) SGI Inc. is the company name used by Vladuz, a hacker who has demonstrated that he has the ability to access ebaY databases.

This first image shows the ebaY Trust and Safety discussion board thread list, with a detail of the thread listings.


The next image is the actual thread page you saw when clicking on the thread link from the previous image. We have masked parts of the info to protect the innocent.

Note the Vladuz signature on the bottom line
For more screen shots of the pages, please go to
TAG CHAT

After around 90 minutes of exposure, ebaY shut down the Trust and Safety board, occurring at around 7:15 AM, after trying to remove the thread posts at a time (the hacker was faster at posting than ebaY was at removing). One poster on the board discussing this incident, who saw the information, ran one of the credit card numbers posted through his merchant account verification, and it came back correct. Other posters said the CC info was not correct. Board posters got screenshots and compiled a list of user IDs so folks could check to see if their user ID was posted. When one board poster put the list on her ebaY Me page, ebaY removed the page and gave her a pink slap (an official violation notice with the threat of suspension).

We have a list of the IDs we have compiled from some of the screen shots we had access to and those lists posted by other folks on various boards (including ebaY's) around the net. You can view the list we compiled at this link. This list is NOT complete as it is believed there were over 1500 user IDs posted.
Compromised ID List


The first ebaY responses were posted on their discussion boards, and then removed, and were an obvious effort to cover themselves . Xavier's posts were removed soon after they were posted.

xman@ebay.com View Listings | Report 26-09-07 00:31 EST 58 of 61
Hi all, we're looking into why this happened however I've confirmed with the US teams that the credit card information was indeed false for all the accounts.

Looks like it only affected that 1 US Board but the engineers are diligently working to ensure this won't ever happen again.
Xavier
The eBay Team
-------------------
xman@ebay.com View Listings | Report 26-09-07 00:47 EST 82 of 88
The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator.
Xavier
The eBay Team
---------------
Trust & Safety forums issue this morning

Posted by eBay Chatter on September 25, 2007 at 02:15 PM in General | Permalink

Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.

Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.

The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.

eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.

I'll update this story later as we have more to share.
----------------

Various ebaY spokespersons also made statements to various press inquiries and calls to them by power sellers etc, that this was a hoax, that the information had been posted by a disgruntled user with access to the API, that the information was not valid, that the credit card numbers were not real and if they were real, they did not come from ebaY's database and were unrelated to info on ebaY. ebaY also said the information was real but had been phished from users off ebaY (this is ebaY's favorite excuse for security breaches even though it has been proven to be false on many occasions). What ebaY did not do (and still has not done) was post anything on the announcement board, informing users of the problem and warning them to watch their accounts and charge cards for possible breaches. Users have reported that ebaY has been making calls to those whose information was posted, to inform them of the breech. This is required by California law, whenever a breach of user information occurs.

With all the rumor, hearsay and damage control going on, there are still some hard facts that need to be looked at:

Fact 1 - Someone had the ability to post on ebaY's boards with the user ID and account of another person. This takes having an ebaY password for the account, or the ability to access and use accounts without passwords. This person was able to post threads at a rate of speed faster than ebaY's ability to remove the threads, leading them to have to shut down the Trust and Safety board completely.

Fact 2 - TAG had access to a small arbitrary sampling of the user account pages posted and checked what information we could against what is available to ebaY and PayPal users, and to those using the internet. Here is what we found:

*The User ID, email address, date registered, if they had a store or not, and feedback numbers registered/shown on ebaY matched 100% of the time
*The PayPal information as to the user having a verified account or not, was correct 83% of the users
*The ebaY ID verified information was correct 83% of the users
* When a reverse lookup online was used on the phone numbers to check name/addresses listed, 33% did not match the name or address, 50% were unlisted so were unavailable to check, and 17% were correct for the info shown
* When an address check was run using the white pages online with the name given, 66% of the information did not match, 17% were correct and 17% were listed as unavailable

We could not check the credit card numbers, and decided these people had probably been harassed enough about this, so we would not call them directly to ask them to verify. But, if you are one of the people whose accounts were posted and your credit card info does match that shown on the ebaY T&S board, and particularly if that information is the information used on ebaY's site, please feel free to contact us and let us know and we will update this information here.

Fact 3 - ebaY always chooses to lie, cover their back and waffle rather than coming out and telling the truth, whether that truth is that they just don't know what happened or how, or that their system had been compromised in some way (which it evidentially had been in at least some manner - see fact 1). They lie so readily and frequently that it is impossible to believe anything they say.

Fact 4 - evidence of problems with ebaY's system can be seen via the hundreds and thousands of scam listings posted on ebaY every day. Though the furor of reporting about this has fizzled out since the mass of Vladuz reporting earlier this year, the incidence of these listings is an every day occurrence on ebaY.

Since ebaY obviously does not know how deep this problem goes, it is possible that ALL user information on the ebaY site has been breached, so if you have ever used ebaY, and have any sensitive information recorded on the site - such as a credit card or bank account information - you need to monitor your accounts for possible problems. Unfortunately, ebaY is not the only site vulnerable, online or off, so regular checks of your credit card bills and bank accounts should now be a way of life, individuals MUST make this part of their usual routines. The other thing that is abundantly clear in all this, is that ebaY is NOT secure, even if we just consider the user ID email address factor that ebaY is so adamant about in their hiding user IDs from users, but obviously not from scammers, but then ebaY's lack of secure systems has been obvious since we first reported on the activities of Vladuz and the Chinese hackers, 11 months ago.

Assistance with this article needs to be credited to
Doc at EBAY MOTORS SUCKS - this is a good board to check for the day to day hacker listings on ebaY and especially for anything going on at ebaY Motors
The posters on the ebaY Seller Central Discussion Board
The posters on the ebaY AU Discussion Boards
And several ebaY users with the guts to posts User ID lists on and off ebaY, so they were available to all ebaY users despite ebaY's efforts to hide as much information as possible.

Want to assist TAG in continuing its work? Sign up for a voluntary subscription to TAGnotes, and provide support that will keep information coming to your email boxes and the lights on at our websites. To purchase a voluntary subscription, click on the button that follows.