I spent my weekend (including my 38th birthday yesterday) learning about a story that ebaY and PayPal would rather you not have a clue about.
Too bad for them that I’m going to spill the beans so you can protect yourself from a security compromise the impact of which is too huge to get your mind around.
The bottom line?
ebaY has been hacked. Big time. Multiple breaches even. And your ebaY accounts, your PayPal accounts, and all of the financial information attached to them could be seriously compromised.
Most Americans are unaware of what has happened as most of the auctions affected were run by non-US sellers but somewhere around December of 2006 it became clear that certain nefarious people (generally outside of the USA) were able to take over innocent people’s accounts (a TKO in ebaY speak), run all kinds of scamming and infringing listings, divert funds from the sellers PayPal accounts, stiffing both buyers and sellers and generally cause a lot of grief and harm for these innocent sellers and their unsuspecting bidders.
ebaY wants you to believe that this was a couple of isolated, minimally damaging incidents, that they’re all in the past and that sellers and bidders are either too careless in how they come up with their passwords or that they are too trusting and will easily allow themselves to tricked into clicking on a link in an unsolicited email and thereby duped into giving sellers their names and passwords.
To spin one of their slogans: ebaY is full of “it”
Over the past few days a Romanian hacker calling himself (or herself) “vladuz” has posted screenshots of a few pages from ebaY’s internal databases…one showed a taken over seller’s account history and the more sinister one showed ebaY employee names, email addresses, and passwords.
Take a look at http://www.auctionguild.com/generic148.html and feel free to shudder. I know I did when I saw what was there.
I am certainly not very knowledgeable about executing hacks and cracks but I can sure tell you this…what vladuz showed off, you can’t get access to via mere carelessness with an ordinary user’s email address and password or clicking in email links. Possibly if you did act so ‘carelessly’ with an ebaY.com account, you could have let someone into the ebaY system, but until vladuz surfaced, presumably you had to be an ebaY employee to have an ebaY.com email address and access to their databases, servers and the information of millions of registered users around the world. And presumably ebaY employees were taught by ebaY not to be so careless with an ebaY.com account…but I digress..
As of yet no one is really sure what all vladuz has access to…over the past several hours, ebaY users (especially those in the UK and Germany) have seen vladuz take over other people’s auctions (and as proof vladuz includes either ‘zudlav’ or ‘vladuz’ in the auction listing text), compromise two existing ebaY employee accounts and post using their ids to ebaY discussion boards (which are often called ‘pink’ accounts or ‘pinks’ or ‘pinkliners’ for the pink header line that is automatically attached to an ebaY.com account’s posting to an ebaY discussion board), and even *create* his or her very own pink account (vladuzsgi).
So what the heck has ebaY been doing about this?
Well besides pulling hijacked auctions as fast as they can find them and essentially chasing their own tails because new auctions are constantly and repeatedly taken over, ebaY has been actively doing everything it can to KILL THIS STORY. Those in charge at ebaY have not only been deleting vladuz’s discussion posts on ebaY discussion boards, they delete any postings mentioning the name ‘vladuz’ by other ebaY users, they delete postings with the word ‘hacked’ in them, and they suspend users who keep discussing the same from being able to post to the ebaY discussion boards.
While I find this a somewhat questionable use of their time money and resources (while they chase discussion board posters away, vladuz keeps popping up to show off what else he/she has access to and can exploit) ebaY at least has some justification for trying to gag their own users on their own site.
However as of yesterday ebaY went too far.
ebaY is attempting to supress the information of which an increasing number of its users are already aware…that the implications of these hacking incidents are that a large quantity of sensitive information (financial and otherwise) are at extreme risk and that the problem is so huge that ebaY has to come clean with the whole wide world.
Instead the powers behind ebaY are intimidating both ordinary registered users and those who are online authorities who cover online auction related news. In particular the treatment of the people behind The Auction Guild is especially suspicious: TAG’s legitimate questions about vladuz and the purported security of ebaY and PayPal were fobbed off onto an inexperienced ebaY PR spokesperson
and now for some strange reason if you visit TAG’s site using an the Opera browser, their site is on a list of ‘suspected fradulent sites’
The fact that according to the article above ebaY’s legal team is attempting to intimidate vladuz’s web host (who is in Germany) into following US tradmark law and the DMCA to stop a purportedly Romanian hacker (who could be anywhere in the world right now) not withstanding, all signs point to the fact that whoever is running ebaY has officially lost their collective mind.
Strongarming internet users and journalists into silence isn’t going to solve the problem…coming clean with users (which if PayPal has been compromised may be *required* under California state law at least as far as ebaY users registered in California are concerned and it would not be hard for the powers that be in Sacramento to get jurisdiction over the company up the road in San Jose or the company they own a few states over in Omaha) and taking the business of online security more seriously is the ONLY VIABLE WAY out of this morass.
My more knowledgable friends say that solving ebaY’s security holes may not be possible given how cobbled together the whole architecture of the ebaY-PayPal system is. I don’t know if that is true but it is time to address the most important question:
If I’m an ebaY and/or a PayPal user, what do I do to protect myself?
First, from now on watch your ebaY and PayPal accounts and the bank and credit card accounts attached to them *like a hawk*. If you see something suspicious, notify the appropriate parties immediately.
If you have largely inactive or abandoned ebaY or PayPal accounts you should close them *immediately*. Keep your balances in your still used PayPal account(s) low and transfer money out of them (preferably and ultimately to a more secure bank account not attached to a PayPal account) often.
In terms of bidding on ebaY auctions that require payment by *PayPal only*, consider setting up a PayPal account for payment whose only source for funding is one of the preloaded fixed limit credit cards you can purchase at your local bank/shopping mall/grocery store…the fees for these run from $2-$10 but the peace of mind they could provide may be worth that many times over. Such card numbers can also be attached to a throwaway free email account if you further want to protect your privacy and minimize spam and phishing emails.
In terms of accepting money via some kind of third party online payment system, you might consider signing up for Google Payments, but if you are selling items on ebaY, be aware that ebaY cancels ebaY auction listings that state that they accept Google Payments (talk about being anti-competitive and monopolistic).
I really don’t have a good solution for ebaY sellers short of just not offering PayPal payment as an option…they may be forced to go back to money orders and possible personal or business checks and get merchant accounts for credit card processing for payment, but better safe and a little slower and possibly more expensive than fast cheap and sorry.
It also goes without saying that you should *never* send wire transfers (Western Union, MoneyGram, etc) to pay for anything you buy online…once the money is wired it is G-O-N-E forever.
Finally tell your friends and family who use ebaY or PayPal know what is happening there and discuss ideas for protecting yourselves when you bid or buy online with them.
Anyhow here are some story links to get you started educating yourself on this situation (it’s too bad I have to do what ebaY should be doing):
Typical screen captured ebaY discussions are available at:
Groups discussing this issue off of ebaY and in their own forums are at
Oh and for the powers that be at ebaY/PayPal who might want to have their legal teams send me harassing letters, etc…it might behoove you to know that I happen to be a licensed attorney (my bar card is from Texas) and I can figure out what all my rights and legal protections are….enough said.