March 18, 2008

my ebay account was stolen hijacked

It started this morning with a random email that came in to our home email account that said...
Dear xxxxxx,
I see that you have purchase 15 XBOX live codes. This is a large transaction. Do you have some kind of ID that you could send to me to prove that you are you?



Lydia, just like I would have, assumed it was a weak phishing scam.

When I got to work, I checked (as I am wont to do from time to time) my Yahoo email and saw that there were 142 or so emails in my inbox, as usual. And, as usual, I knocked out four or five before I got a work email and had to abandon it for my day job.

Around lunchtime, I opened my Yahoo email again... or tried to. My password didn't work.

Hm... that's odd.

Luckily, Yahoo has a very simple (albeit information-intensive) password recovery process at I zipped through and returned to Yahoo! mail... an empty inbox.

Have you ever left your car door unlocked with your iPod on the dash, and then realized it after you got away from the vehicle? Same feeling, only I don't remember leaving the door unlocked.

First stop: paypal, and I'm glad I did, because I found this:

Mar. 18, 2008 Payment To G-ROM Inc. Completed -€598.50 EUR
Mar. 18, 2008 Currency Conversion (credit) To Euro From U.S. Dollar Completed €598.50 EUR
Mar. 18, 2008 Currency Conversion (debit) From U.S. Dollar To Euro Completed -$968.77 USD
Mar. 18, 2008 Transfer From Bank Account Completed $968.77 USD
Mar. 18, 2008 Payment To abelds Completed -€546.75 EUR
Mar. 18, 2008 Currency Conversion (credit) To Euro From U.S. Dollar Completed €546.75 EUR
Mar. 18, 2008 Currency Conversion (debit) From U.S. Dollar To Euro Completed -$885.01 USD
Mar. 18, 2008 Transfer From Bank Account Completed $885.01

At, it took me a while to figure out how to deal with fraudulent charges, which they call a "unauthorized transaction claim". When I clicked through the "details" links on the transactions, I found that they both linked back to ebay auctions for XBOX Live gift cards.

Part of PayPal's process is changing your password, which made me realize... I need to change all my passwords.

Next stop - ebay, while calling our bank.

On the phone with the bank, I found that no charges had posted from PayPal. I changed my online password just to be sure.

At ebay, I tried to log in, and found my ebay password had been changed. Ebay's "Security and Resolution Center" has a great step-by-step guide to recovering your hijacked account. When I logged in to change my password, the site appeared completely in German. I did all the steps (some in advance of getting there, of course) and regained access to my account.

PayPal disputed both charges, and credited them back before they ever hit my bank account, making good on their "100% protection against unauthorized payments sent from your account."

This was all resolved within a matter of hours, and both sellers whose auctions the hijacker had bid on were very kind and understood the problem. One was in Spain and the other in France. Just for good measure, tonight I put a "fraud alert" on my credit bureau reports and changed a bunch of other passwords (including my Blogger one.)

I suppose I really should thank the scammer for being both benevolent and stupid. He didn't look for other websites to exploit, even though I had "in the clear" usernames and passwords stored in emails. And, he didn't think to change the registered email address anywhere along the line so that notifications would go elsewhere.

the takeaways
  • Change your passwords. I'd be embarassed to tell you how old the passwords were at Yahoo and ebay. Okay, I'll tell you... both of them were the original passwords that I received or established when I set up the accounts. If you can't remember the last time you changed your password, do it. Today.
  • Make your password strong. There are lots of places you can "test" your password. Neither password I used was vulnerable to a dictionary attack, but one was only four characters long. There are also lots of resources to help you create a strong password. If you want a REALLY strong password, visit Steve Gibson's generator page.
  • Don't use the same password at different sites. I had used the same (medium strength) password at Yahoo and PayPal. I don't any more.
  • Don't assume that because it hasn't happened yet, it won't. It took about eight years for someone to hijack my ebay account. Hopefully, it'll be more than eight before it happens again.
  • Don't leave important information sitting out in a web-based email account that is only protected by a simple password. Nuff said.


Dave said...

Wow, that stinks. Nice recovery though. Now I know what I'm going to do. Password change!

Anonymous said...

Sorry to hear about your experience!!



Anonymous said...

Wow! What a learning experience that We need to learn from too. Thanks for sharing!! So glad your recovery was quick and the damage seemed to be little to none.

Sally :)