My first eBay thread

mrk

mrk

Man of Honour
Joined
18 Oct 2002
Posts
103,110
Location
South Coast
Well, this is something I never thought I'd be posting!

Earlier today I received three emails thanking me for some eBay purchases. I initially thought they were scam emails, as they usually are, the "click link x to vie order details" sort But the source and emails were in fact genuine.

I logged into eBay, and saw that three orders had been placed totalling £133.93. The cheapest was a £4.50 odd "Sexy Women's Summer Bandage Bodycon Evening Party Cocktail Club Short Mini Dress", and the most expensive being a BOSCH air flow meter for a car at £90+P&P. The second item was also a dress, but not the sexy kind. I guess some days you just don't need to feel sexy.

I immediately changed my eBay password, and noticed that security questions were not enabled. In fact I don't think I ever enabled these when the function became available years ago, but my password was a secure one. I can only imagine that someone brute forced it due to the account not having security questions set, and they were able to pay for the items using the automatic checkout via PayPal option (now disabled).

Kudos to both PayPal and eBay though. I phoned them both, and they instantly flagged the transactions, blocked the device used to log into my eBay account.

My PayPal and email accounts are both secured via two step auth, but eBay doesn't have this feature, security questions is about as secure as it gets. Luckily, the culprit only made those purchases and didn't change any account details (I get emails for any changes to the account anyway). The delivery addresses at checkout for all three items were to a flat in Aberdeen.

So, can we assemble a letterbox army and destroy this vile beast with chocolate?

For what it's worth, I have had eBay/PayPal since 2001, and have always had a pleasant experience. Today's incident hasn't changed that feeling as it has shown me how quickly and effectively both of them deal with such issues.
 
Last edited:
I guess some days you just don't need to feel sexy.

Not true!

Glad you got it all sorted out though. The more and more stories a read like this, the more I consider using a password manager so I have a strong unique password for every single site. At the moment i use the same one for almost everything and have done for years which is a huge security liability.
 
Not true!

Glad you got it all sorted out though. The more and more stories a read like this, the more I consider using a password manager so I have a strong unique password for every single site. At the moment i use the same one for almost everything and have done for years which is a huge security liability.


I (nor eBay) know how they got my password. But IMO it was only one of two ways. Either via brute force, or via one of the leaks that has happened over the past year or so. I had not changed my eBay password for a few years as had no reason to do so. Now if my account details were on one of the leaked lists, perhaps someone chanced it and got in that way.

Both instances would still have the same outcome if a password manager was being used, unless said manager changes the hashed password every so often automatically?
 
Aha, Esslemont Avenue! I went to Uni in Aberdeen and frequently walked through this street, had this been 5 years earlier I would have happily deposited a certain object through the letterbox ;) :D
 
I'm not sure you should be posting someone's address in this context. How do you know the scammer lives there? Maybe the resident has been scammed also, and instead of a sexy red dress through the letterbox... they're getting poop. :(
 
But all three items were to the same address. And the items themselves are quite specific!

Plus, they were addressed to my name at that address. now I only know of one other person on the planet with the same name as me, and he's a rapper in Canada :D

I'm guessing it's a group effort involving two people. But I see where you're coming from, and the mods can remove the link if they feel it's best to heed caution.
 
I (nor eBay) know how they got my password. But IMO it was only one of two ways. Either via brute force, or via one of the leaks that has happened over the past year or so. I had not changed my eBay password for a few years as had no reason to do so. Now if my account details were on one of the leaked lists, perhaps someone chanced it and got in that way.

Both instances would still have the same outcome if a password manager was being used, unless said manager changes the hashed password every so often automatically?

True but nothing else would have been compromised at the very least. Password managers can also generate very long and complex passwords which makes them much much harder to brute force.
 
Hmm I guess so, but I like to have convenience and security in reaosnable combination where possible with things like this. I use the apps on my phone for both services regularly, so would need the same manager on the phone inputting the hashed password into the eBay app as well.

This would be a non issue if eBay supported two step authentication like all other big sites do. It means instant rejection to anyone trying to access an account from a new device, even if they have the correct password.
 
Back
Top Bottom