Information Revealed not from

By Lisa Vaas  |  Posted 2007-03-10 Print this article Print

eBay"> England also said that the information posted to the forum was not from eBays internal systems, given that it included information eBay does not collect: bank account numbers, PIN numbers, credit card verification numbers and so on.

"Thats information we would never have," England told eWEEK. "Nor would we have cause to have collected it. This person had posted to a discussion board, but we have no idea where he got [the data] from. … Most likely a phishing site or phishing scams."
Romanian hackers seem to either have it in for eBay or find eBay and its users easy targets—or both. For the past two months, a Romanian hacker using the handle "Vladuz" has been prancing through eBay, convincingly posing as an internal eBay moderator on eBay forums, posting lists of hijacked eBay accounts for sale, advertising copyrighted tools to hack eBay and partaking in his countrymans habit of taunting others. For a slideshow of his or her handiwork, click here.
eBay claims that with all of the 15 accounts posted in this most recent incident, internal systems detected unauthorized access attempts. Thus, the accounts were locked down before the hackers posts were even made, England said. England declined to give examples of the suspicious behavior that triggered eBays internal fraud detection system, so as not to tip the companys hands to criminals who could modify their behavior to avoid detection. Vladuz the phishing impaler sticks it to eBay. Click here to read more. "Its the typical antifraud behavior modeling," she said. "If you give us information, we do verify [it]. If you give us credit card information that doesnt sync up with your name, were going to shut [the account] down." eBay will continue to monitor the accounts to ensure that no more illicit access attempts are made, England said. eBay recommends use of the eBay toolbar, which has a warning that flashes red when users navigate to an illegitimate site. eBay Forum members were incensed at the idea that eBay had neglected to contact the eBay members about their information being breached. Indeed, if eBays internal systems had been breached and the customer information stolen through such means, eBay would be legally obligated to notify victims under Californias Security Breach Information Act. However, since the information revealed was not from eBay, as demonstrated by the inclusion of data eBay does not collect, eBay is not responsible for notifying victims. "Legally, eBays not responsible," England said. "This is one of those situations where this isnt a breach of eBays systems or securities. Legally I dont believe we have an obligation to inform people. As a corporation eBay feels its the thing to do. We put the safety of our community first. If we feel one of our members information has been compromised, were going to contact them and let them know." Regardless, people associated with reached out to the victims before eBay did, to ensure that they knew of the breach. According to the site, at least one of the victims was distraught at the news. "One woman broke down and was near tears, if not fully crying, her voice trembling with each question she asked," the site says. "She said that all information was correct and was current and that she was very scared. She couldnt even remember her eBay user ID or password. She said that she uses eBay during the holidays to buy gifts, and gets a new eBay ID each year because she ends up forgetting the password and/or username. She was terrified—Im sure due in part to the little she has heard about identity theft." Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel