eBay Hacker Indicted in Massachusetts

The Boston resident is charged with illegally accessing over 40 eBay accounts and using the credit card information to purchase gift certificates.

A 20-year-old Massachusetts man has been charged with hacking into dozens of customer accounts at online auctioneer eBay Inc. and racking up $32,000 in charges.

Sean Galvez of Boston was indicted on one count of larceny and 10 counts of unauthorized access to a computer and identity fraud committed during 2003.

He is believed to have illegally accessed and taken over more than 40 eBay accounts, then used them to buy gift certificates for eBays Half.com, according to a statement from Massachusetts Attorney General Tom Reilly.

eBay did not immediately respond to a request for comment.

Galvez is alleged to have gained access to the eBay accounts between February 2003 and September of that year. It is not known how Galvez compromised the password-protected sites.

/zimages/3/28571.gifeBay pulls the bidding on a Microsoft Excel vulnerability. Click here to read more.

John Grossman, an assistant attorney general in charge of corruption and fraud in the Massachusetts Attorney Generals computer crime division, said the Attorney Generals office is still trying to determine how Galvez obtained the passwords.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Grossman declined to comment on whether Galvez was the only individual involved in the identity theft scam.

However, one official, who spoke anonymously because of the ongoing case, speculated that the crimes could be linked to stolen identities obtained through an eBay phishing scam.

"It wouldnt surprise me if he bought [eBay passwords] from somebody else online," the official said.

Once inside, however, Galvez changed passwords and harvested stored credit card numbers from the accounts, which he used to purchase online gift certificates.

eBay launched an investigation into the purchases after customers complained of being locked out of their accounts. The company notified the U.S. Postal Inspector, which was able to trace the illegal activity to Galvezs home, the Attorney Generals office said.

In all, Galvez bought $32,000 worth of gift certificates for Half.com. He redeemed around $8,000 worth through shell eBay accounts he set up, mostly on electronics, Grossman said.

A spokesperson for the Attorney Generals office said the damage could have been much worse.

"Were gratified that law enforcement and eBay, working together, were able to shut the scheme down before the dollar amount got too high," Grossman said.

Galvez, who was 17 at the time the crimes were committed, is set to be arraigned in Suffolk Superior Court on Jan. 18. He faces five years in state prison.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.