Hacked!?!
The panic that sets in when you realize one of your accounts has been ‘hacked’ is not very pleasant. How, where, what else? all come to mind. Its all very humbling. When the initial panic is over and you feel you have ‘locked down’ the afflicted accounts, there is time for analysis, so here is mine.
Background
I also own a mail order business, and we have dedicated Ebay and PayPal accounts for it. As all members of staff can access these to order packaging items from Ebay and check customer payments on PayPal, the passwords, particularly for Ebay were not the strongest so that they could be easily memorized. Fortunately the passwords are different for each account.
What Happened
So, late last night I noticed an email by chance, Ebay Order confirmed Brand new iPhoneX. WTF? So I looked in Ebay at recent purchases and nothing there. I almost dismissed it but I also checked the PayPal emails (on a separate email account) and lo and behold, it was there. Over £1,000!
First things first, change passwords
So I set about changing passwords on both accounts straight away, but I was thinking how did they access in the first place? So I changed both passwords to something more secure making sure they are still both completely different. Once passwords were changed, I realized that there was no need for them to have accessed the Paypal account as it had long since been linked to the Ebay account through one of those simple one-click scenarios. (You actually have to consciously avoid enabling that every time you check out, but one day someone obviously gave in and enabled it).
Disputing the Purchase
Fortunately in this case, I spotted it quickly and put in a cancellation request with the seller and also a PayPal Dispute straight away. [Surely enough, first thing this morning, the matter was all but resolved]. There was a complication in this instance as the PayPal balance was only around £30 before this purchase, so there was still over £1000 due to come out of my bank account. On contacting PayPal, they suggested I cancel the arrangement with my bank to make sure it wasn’t attempted to be withdrawn (there’s not that much in there anyway!) and the failed withdraw would not be held against me as the transaction was already cancelled. I would suggest anyone with a similar scenario check this for themselves though.
If the item had already been sent, it would be a much more complicated matter.
Removing pre-authorized PayPal payment option from Ebay
Now that was done I wanted to remove this facility, although it wasn’t that easy, there are many forum posts about people having problems doing it. It appears that there was once an option in Ebay under Account > PayPal Account to remove the link if there is one set up already, but some say its not there or it didn’t work for them. But I also found under Personal Information > Financial Information > Saved Checkout Payment Methods, so perhaps that is a new way to do it. I also got the following from email from Paypal later on when I discussed it with them.
Thank you for contacting PayPal.
Regarding unlinking your accounts… there are 2 types of eBay to PayPal account linkage… the one needed to bid on items where the seller requires the buyer to have a PayPal account, and the other is for eBay streamlined checkout.
To unlink your PayPal account from your eBay account:
Click “My eBay” at the top of most eBay pages.
Click the “Account” tab.
Click the “PayPal Account” link on the left side of the page.
Click the “Remove” link.
To undo the eBay streamlined checkout linkage… login to your PayPal account and go to “Profile” >> “My money” >> “My preapproved payments” and remove the pre-authorization for eBay payments.
A flood of emails..
Now as I checked my emails to make sure the password changes had been confirmed, I noticed I was getting flooded with a load of emails! The minutes immediately following the purchase, literally hundreds of confirmation emails came through for all sorts of subscriptions (mainly wordpress sites). This was obviously done by some script that the culprit set off to swamp my inbox and hopefully hide the Ebay and PayPal purchase emails. Fortunately, I had noticed it straight away as it could easily have been missed among hundreds of these emails which is of course the idea.
Checking Ebay for any other activity
So at this point I was quite satisfied that the culprit had only accessed my Ebay account and the payment was via PayPal because the account was linked for streamlined checkout. So I investigated in Ebay to see what else might have happened. First I went back to the email and clicked on the item in it and sure enough it was showing there, but it wasn’t in my purchase history. Then I noticed there is a Visible / Hidden option in the Purchase History list, and sure enough it was in the Hidden listings. But then there was another produced bought a few days earlier that I hadn’t noticed! So it turns out they had access to this account for a few days already. They started with a small purchase to test the water, then when it went unnoticed, they went for a larger purchase!
Disputing the other purchase
Now this is an ongoing dispute, so I will update this later, but the seller appears to have despatched that item several days ago so they have fulfilled their part of the transaction. The fact that it is to a bogus address that the culprit added to my account and they were able to do this with (I am deducing) just my password is another matter I will touch on later. But dispute it I have. I obviously tried to cancel the Ebay purchase first, but the seller has already sent it. If it was with a courier that had not yet delivered it, it may have been possible to have the item returned, but this is not the case here.
Who is responsible?
Well it’s easy to blame someone for a weak password, but ultimately there is always a chance a password can be guessed, accidentally divulged or hacked. The most important thing is not to use the same password for all. If the Email, PayPal and Ebay passwords were all the same, the culprit could have intercepted and delete emails before I saw them, lock me out of all my accounts and do untold damage before I was able to get a access to the accounts to find out what was happening, maybe not even knowing anything had happened until I next tried logging in. Frustratingly, PayPal phone lines are closed late evenings so one would have to wait until the next day in this scenario. So I will update this depending on how the PayPal dispute goes on this one, as myself, Ebay and PayPal are all involved, I need to analyse in more detail to comment further.
Security Concerns
At this stage, I would hope that it was just a brute force password attempt but it seems unlikely as I am sure Ebay will lock an account after several failed attempts. I hope no-one was careless enough to click a link in an fake email and log in from there but at least that would limit the damage to that one account. If the same password is used for more than one website, someone with access to one of those other websites (even a hacker) would be able to try other websites and Ebay would be a prime target. (Even if a hacker only accesses encrypted passwords, there are techniques they can use to find the password). It is possible this password was used on more than one account, so changing all passwords to all websites accessed to unique ones is now a priority. A worse scenario is that there is a keylogger on one of the computers used to access the Ebay account, or another form of malware that accesses saved passwords etc. In this case, they may have also accessed other accounts. The computer I am writing on is Linux and I am pretty careful, so I am fairly confident this is not the source. Again, I will update this section when I find out more.
Re-checking for other damage
I also went back through the Ebay account, making sure all phone numbers and addresses were accurate and up-to-date, deleting the fake address that had been added and checking for other settings. I noticed under My Account > Site Preferences > General Preferences > Third Party Authorisation there was an entry added in there! I quickly removed it as I guess that would act as a back door for ongoing access to the account. In my haste, I neglected to make a note of what the setting was but I guess I could ask Ebay.
We always wait til something goes wrong..
Well its human nature isn’t it. But this has been a kick up the backside and now I am going to be extra careful. I am just so thankful that the passwords are all different and I hope that this inspires some others to take action early and prevent this – or much worse – happening to you.
Update: 1 week later..
Well, there has been no further incidents and the money has been fully refunded by PayPal with minimal fuss