My eBay account got... hacked? I think?
April 17, 2017 2:02 PM Subscribe
Should I do anything beyond changing all my passwords and security questions, and turning on 2-factor authentication everywhere available? I have some confusions. This is actually the first time this has ever happened to me despite living full-time on the internet for a couple decades.
Someone tried to buy a really sweet graphics card using my eBay and PayPal accounts. The seller canceled the transaction immediately because of address irregularities. It seems like the the person who hacked me was unable to change things like my address and name and such, so he messaged the seller saying, basically, oh hey, here's my current name and address, ignore that other stuff. The seller, seeing that this information did not match the credit card info via PayPal, and it all being exceedingly shady, canceled the order. There is no other recent activity logged in either eBay or PayPal for my account.
So, I am a bit confused as to how someone could use my account to purchase something, but not to change my address to their own. (The address was not changed on either eBay or PayPal--I would understand if it was changed on eBay but not PayPal because different passwords, but neither?). Can anyone explain this? I'm tempted to just close my eBay account and salt the earth because I use eBay maybe once a year and I can create a new account if I ever need to.
Secondly, should I do anything else about this? I mean, alert anyone? It's a very clear, really obvious, totally unsubtle attempt to get a very pricey item mailed to a warehouse in Delaware (I googled it--this address has also been used in courier forwarding scams). I've got the address, I've got a name that is probably an alias, I've got the evidence. Do I tell eBay? The Newport police? Would anyone actually care?
And while we're all here, if someone wants to point me to a password manager explainer, that'd be super helpful. I think I need to get on that train. Too many passwords, too little brain.
Someone tried to buy a really sweet graphics card using my eBay and PayPal accounts. The seller canceled the transaction immediately because of address irregularities. It seems like the the person who hacked me was unable to change things like my address and name and such, so he messaged the seller saying, basically, oh hey, here's my current name and address, ignore that other stuff. The seller, seeing that this information did not match the credit card info via PayPal, and it all being exceedingly shady, canceled the order. There is no other recent activity logged in either eBay or PayPal for my account.
So, I am a bit confused as to how someone could use my account to purchase something, but not to change my address to their own. (The address was not changed on either eBay or PayPal--I would understand if it was changed on eBay but not PayPal because different passwords, but neither?). Can anyone explain this? I'm tempted to just close my eBay account and salt the earth because I use eBay maybe once a year and I can create a new account if I ever need to.
Secondly, should I do anything else about this? I mean, alert anyone? It's a very clear, really obvious, totally unsubtle attempt to get a very pricey item mailed to a warehouse in Delaware (I googled it--this address has also been used in courier forwarding scams). I've got the address, I've got a name that is probably an alias, I've got the evidence. Do I tell eBay? The Newport police? Would anyone actually care?
And while we're all here, if someone wants to point me to a password manager explainer, that'd be super helpful. I think I need to get on that train. Too many passwords, too little brain.
Yikes. It's also possible that someone got into your email and used it to reset the passwords on both accounts.
But yeah, 2FA all the things. If you ever use the same passwords on different sites, change them. This might be a good excuse to just go on a password-changing spree anyway. Use Keepass or Lastpass and generate random passwords for everything.
posted by roll truck roll at 2:25 PM on April 17, 2017
But yeah, 2FA all the things. If you ever use the same passwords on different sites, change them. This might be a good excuse to just go on a password-changing spree anyway. Use Keepass or Lastpass and generate random passwords for everything.
posted by roll truck roll at 2:25 PM on April 17, 2017
So, weirdly, this just happened to me this weekend (sweet sweet gunsight, compatible with night-vision!). I don't have any kind of payment method auto-linked to eBay (you have to sign in separately for PayPal), so I'm guessing the person gave up when they were unable to complete the purchase. (They did change my shipping address to "their own.") After contacting the seller, I went into eBay help to find the form that surely they must want you to file reporting a fraudulent purchase being made in your name...and there is none. Literally, if you choose the "someone used my account" prompt in help, it advises you...to change your password. It only directs you to contact them if you're locked out of your account as a result.
So...I guess eBay just does not give a hoot if its merchants get ripped off. It's not even worth tracking for them.
posted by praemunire at 2:44 PM on April 17, 2017 [1 favorite]
So...I guess eBay just does not give a hoot if its merchants get ripped off. It's not even worth tracking for them.
posted by praemunire at 2:44 PM on April 17, 2017 [1 favorite]
If you're like 95% of the population and reuse usernames and passwords, it's likely that someone is guessing your eBay and PayPal account info from some other hack.
The thing to do, as you suggest, is to start using a password manager. I've used LastPass casually for a couple years and this episode of Reply All finally pushed me over the edge to actually fully using it. It's been surprisingly easy, mostly because the browser extensions make it prettily seamless. I had built up in my head that it was going to be a huge pain and was pleasantly surprised at how little of an issue it was.
posted by Betelgeuse at 5:21 PM on April 17, 2017
The thing to do, as you suggest, is to start using a password manager. I've used LastPass casually for a couple years and this episode of Reply All finally pushed me over the edge to actually fully using it. It's been surprisingly easy, mostly because the browser extensions make it prettily seamless. I had built up in my head that it was going to be a huge pain and was pleasantly surprised at how little of an issue it was.
posted by Betelgeuse at 5:21 PM on April 17, 2017
This thread is closed to new comments.
posted by Candleman at 2:13 PM on April 17, 2017