Hackers are selling eBay logins online

A report has revealed that hackers are selling eBay login details online in the wake of the recent attack against the company in which details of over 233 million customers were stolen.

Now an investigation set up by UK newspaper, The Sun on Sunday, claims to have found scammers selling credentials of affected users online, according to the International Business Times.

The sale of legitimate identities is very serious as - once in the hands of the fraudulent buyer - they could be used for many different purposes. Accounts with good customer ratings may be used by scammers to sell dodgy goods without attracting attention. Almost certainly, there will be some degree of identity theft involved, which obviously has the potential to be devastating to users. 

The investigation noted that one hacker was offering 1,000 UK eBay accounts with entirely positive feedback for £24.93 each whilst another would sell 'unlimited' usernames and accompanying passwords for £2,100. The report does not indicate where these offers were advertised but it is likely to be on secure websites frequented by hackers and accessible through systems such as the Tor Network.

eBay is already going to be investigated by data protection authorities on both sides of the Atlantic over the way in which it stored user details prior to the attack that took place earlier this year. The already hugely-devastating attack seems to be developing into something even worse now that logins are being actively sold online though.

If you have ignored the advice to change your password for the site until now, you should do so immediately or you may end up learning the hard way that your details have fallen into the wrong hands.

Source: The International Business Times | Image via Business Insider

Report a problem with article
Previous Story

New accessories unveiled for the One Plus One

Next Story

Major UK online retailer now selling Lumia 930... for £1299

69 Comments

Commenting is disabled on this article.

The login details are miniscule in comparison with the other stuff in the database that was hacked such as customers' names, email. physical addresses, phone numbers and dates of birth.

does any1 use lastpass firefox addon that is the best secure password addon ive used it to generate a 18 lengh password all mixed with numbers and letter and sybuls

Yeah it's forced now.
I had ignored it, but when I went on yesterday I couldn't continue until I changed the password.

Even if I hadn't changed mine, if anybody tried to steal my identity, they would probably feel sorry for me and deposit money into my bank account instead of taking some out.

Changed mine as well, as soon as I heard about it, (I wonder if using something similar to the blizzard authenticator would help.....)

are there really that many people who would use 'password' or '12345678' etc?

i would have to assume most people would know better than that especially for more important stuff. but it does seem like many banking sites etc specifically mention to use a decent password when they make one.

ThaCrip said,
are there really that many people who would

i would have to assume


Yes there would be, which is why you don't assume! :p

You could, but Ebay said that Paypal was not effected. but obviously if you are using the same passwords for both then you got a problem.

i use Password Safe (http://pwsafe.org/) to manage all of my website passwords and they are randomly generated for each as i don't even know the passwords to a large percentage of stuff i log into.

p.s. and to be safe... i keep a backup copy of the database it makes on another PC in case my main PC goes down and i need to use my backup PC to buy stuff online etc in order to fix the main one.

someone tried logging into my account last week as I got a password reset text. So I changed my password then. Though I have nothing on ebay anyway and different passwords for all major sites.

1) Password Change
2) Two factor authentication FTW ( I just ordered one of those new Paypal credit card authentication card) .. got tired of never having my football with me at my parents house and then not letting us authenticate our cell phone on ebay.)
3) Lie on security questions and store answers in Roboform pass card

Mothers Maiden name : mrZoD*6Vuftq

Yep, something un-guessable and not in any public record. Also a good idea to NOT use your driver's license or ssn as any sort of verification if possible. If thieves can look it up, they can use it to take your identity.

webdev511 said,
Yep, something un-guessable and not in any public record. Also a good idea to NOT use your driver's license or ssn as any sort of verification if possible. If thieves can look it up, they can use it to take your identity.

What really annoys me is that some sites don't let you create your own and the ones you do have to choose from are questions that are all public record and EVERYONE tells the truth on the questions.

My mom (who unlike most average users, is not an idiot when it comes to computers. My dad on the other hand .....) uses Roboform I tell her to lie on the security questions and she always looks at me like i'm nuts.

Edited by warwagon, Jun 1 2014, 9:52pm :

warwagon said,
1) Password Change
2) Two factor authentication FTW ( I just ordered one of those new Paypal credit card authentication card) .. got tired of never having my football with me at my parents house and then not letting us authenticate our cell phone on ebay.)
3) Lie on security questions and store answers in Roboform pass card

Mothers Maiden name : mrZoD*6Vuftq

This is good advice, but I also practice this in daily conversation. Someone sees my cat and says "Aww that's a cute cat, what's her name?" and I answer "LfnJT2ZSkuB5b14H, she's very case sensitive."

Oh and for the love of gods, please remember to print out roboform or lastpass passwords and store them in a safe place (a safety deposit box) in my case. don't rely on just a digital copy.

I thought the passwords were encrypted. Either they managed to break the encryption or they are lying about having both.

LightEco said,
I thought the passwords were encrypted. Either they managed to break the encryption or they are lying about having both.

Name a large company with a decent password hashing/encryption system?
Hotmail is plain text for example, they all use the minimum to get away with whatever and I'm yet to see a large-scale one that uses salted passwords which means it'll probably be md5 or sha1 or something stupid and all they need to do is churn it through a bruteforce/dictionary program and it'll find at least some matches.

maybe theyre trying to scam people by taking advantage of the news of the hack. what are the scammed gonna do, report them to the authorities? lol

n_K said,

Name a large company with a decent password hashing/encryption system?
Hotmail is plain text for example, they all use the minimum to get away with whatever and I'm yet to see a large-scale one that uses salted passwords which means it'll probably be md5 or sha1 or something stupid and all they need to do is churn it through a bruteforce/dictionary program and it'll find at least some matches.

So much BS with nothing to back it up. Heck last time when there was some argument about the hotmail/live password encoding we had an MS coder explain why it was BS on the forums..

vcfan said,
maybe theyre trying to scam people by taking advantage of the news of the hack. what are the scammed gonna do, report them to the authorities? lol


Yeah, if this is true it's almost certainly a scam.

That or accounts they had already hacked through other means, like hacking other sites and using same password, and now they use the news to sell them.

n_K said,

Name a large company with a decent password hashing/encryption system?
Hotmail is plain text for example, they all use the minimum to get away with whatever and I'm yet to see a large-scale one that uses salted passwords which means it'll probably be md5 or sha1 or something stupid and all they need to do is churn it through a bruteforce/dictionary program and it'll find at least some matches.

Hotmail, run by Microsoft, stores passwords as plain text????? Really???

frett said,

Hotmail, run by Microsoft, stores passwords as plain text????? Really???

I don't believe it. MS, of all companies, has a wealth of experience with security. There's no way they'll store the unified credential to all their services in plaintext. That's just ridiculous.

frett said,

Hotmail, run by Microsoft, stores passwords as plain text????? Really???

Either they store password in plain text or you submit them in plain text and they process them in plain text.
And hawkman as for the coder, I'm sure if everything they did was on the real hotmail system, they'd have seen all the NSA extras.

LightEco said,
I thought the passwords were encrypted. Either they managed to break the encryption or they are lying about having both.

It's not hard to run a hash check with the most common passwords against the stolen db to get a list of working accounts...

Older Hashes are basically useless if someone is utilizing modern GPUs to crack them. Newer hashes fare better, but will eventually fall to brute force.

Someone put together a 25 GPU system 18 months ago that blasted out about 350 Billion (yes with a B) hashes/second...and that was another generation of GPU behind what you can buy today.

Raa said,

It's not hard to run a hash check with the most common passwords against the stolen db to get a list of working accounts...

a salt(random data) is added to prevent these kinds of attacks.

DogEars said,
Older Hashes are basically useless if someone is utilizing modern GPUs to crack them. Newer hashes fare better, but will eventually fall to brute force.

Someone put together a 25 GPU system 18 months ago that blasted out about 350 Billion (yes with a B) hashes/second...and that was another generation of GPU behind what you can buy today.

of what? a DES based hash? even with a million GPUs you wouldnt even get a sniff of a sha-256 hash.

vcfan said,

a salt(random data) is added to prevent these kinds of attacks.


Sorry, I meant brute force. It would take seconds to get a long list of working accounts, because let's face it... people are going to use "password" as a password.

Raa said,

Sorry, I meant brute force. It would take seconds to get a long list of working accounts, because let's face it... people are going to use "password" as a password.

bruteforce means trying every single combination possible. if we have an 8 character password,and an 8 byte salt, brute forcing this with a GTX Titan Z,which has a compute power of 8.122 TFLOPs would take, [2 to the power 128] / 8,122,000,000,000 ops/second = 1328525371928837009 YEARS, and thats in a perfect world where one hash function only takes one operation to resolve(in reality its going to take hundreds of thousands or millions of operations to resolve only one hash function).

if you want to build a rainbow table, you still have to precompute every possible combination as well.

vcfan said,

bruteforce means


You're really pedantic aren't you?

Okay let me phrase it exactly for you:
Someone has a very big database. They verify against this really big database of accounts simple passwords like "password" or "12345678", etc. They get "hits", which they then make note of.

They then sell this information.


Wasn't that hard, was it?

n_K said,

Name a large company with a decent password hashing/encryption system?
Hotmail is plain text for example, they all use the minimum to get away with whatever and I'm yet to see a large-scale one that uses salted passwords which means it'll probably be md5 or sha1 or something stupid and all they need to do is churn it through a bruteforce/dictionary program and it'll find at least some matches.

The problem is that the user/pass were not hashed, they were encrypted. What this means is that, if you know one person's password (for example, their password hint is: my password is monkey) they now know that everyone with the same cyphetext password is monkey. Hashing prevents this by making the same password have different cyphertext.

Also, I think encrypting (not hashing) the passwords more vulnerable to rainbow tables. These are tables of passwords and their corresponding cyphertext, making it much easier to take cyphertext and know the corresponding password.

It is hard to trust any company to protect passwords. Therefore, I try to enable 2-factor authentication wherever I can. I just complained to Amazon because they don't offer 2-factor.

Raa said,

You're really pedantic aren't you?

Okay let me phrase it exactly for you:
Someone has a very big database. They verify against this really big database of accounts simple passwords like "password" or "12345678", etc. They get "hits", which they then make note of.

They then sell this information.


Wasn't that hard, was it?

my bad,not trying to come off that way,i must have been confused with your use of the term bruteforce to mean brute forcing the hashed password of each individual account.

so couldnt someone compile a list of accounts by simply getting them from the website? why would they have waited for a breach to get this from a database? a simple bot could compile a massive list.

vcfan said,

so couldnt someone compile a list of accounts by simply getting them from the website? why would they have waited for a breach to get this from a database? a simple bot could compile a massive list.

All good mate, yes probably bad terminology on my behalf too.

Yeah someone could do that, but that would then leave a trace, or fail if there's other checks (2nd level auth, captcha, etc - which a bot cannot do). It's far easier to attack a local DB if you have one on hand (which a bot can do).

Senlis said,

The problem is that the user/pass were not hashed, they were encrypted. What this means is that, if you know one person's password (for example, their password hint is: my password is monkey) they now know that everyone with the same cyphetext password is monkey. Hashing prevents this by making the same password have different cyphertext.

Also, I think encrypting (not hashing) the passwords more vulnerable to rainbow tables. These are tables of passwords and their corresponding cyphertext, making it much easier to take cyphertext and know the corresponding password.

It is hard to trust any company to protect passwords. Therefore, I try to enable 2-factor authentication wherever I can. I just complained to Amazon because they don't offer 2-factor.


I was assuming the passwords were hashed but they just said encrypted. If you tell the general population that their passwords have been hashed, they'll have a blank stare not having a clue what you mean, but tell them it's encrypted and they'll think 'oh yes that is good!'.
Although they may really have been just encrypted. Either way, that is an absolutely ###### poor design if they were just encrypted.

n_K said,

Either they store password in plain text or you submit them in plain text and they process them in plain text.
And hawkman as for the coder, I'm sure if everything they did was on the real hotmail system, they'd have seen all the NSA extras.

You're still making ###### up...

HawkMan said,

You're still making ###### up...


Oh sorry, do you have full access to the hotmail source code then to clarify on if it does use plaintext or not?
Come on hawkman, surprise us all with your brilliant knowledge and inside information on the subject!

n_K said,

I was assuming the passwords were hashed but they just said encrypted. If you tell the general population that their passwords have been hashed, they'll have a blank stare not having a clue what you mean, but tell them it's encrypted and they'll think 'oh yes that is good!'.
Although they may really have been just encrypted. Either way, that is an absolutely ###### poor design if they were just encrypted.

I did some additional research and it seems that the passwords may have been hashed. My bad

n_K said,

Oh sorry, do you have full access to the hotmail source code then to clarify on if it does use plaintext or not?
Come on hawkman, surprise us all with your brilliant knowledge and inside information on the subject!

I'm sorry, but you're the one making ridiculous claims, YOU'RE the one who have to prove your ridiculous claims.

HawkMan said,

I'm sorry, but you're the one making ridiculous claims, YOU'RE the one who have to prove your ridiculous claims.


I logged into hotmail years ago with the password 'password' and was told having 'password' as my password was not secure, your turn:

n_K said,

I logged into hotmail years ago with the password 'password' and was told having 'password' as my password was not secure, your turn:


So you're claiming tech knowledge, but you don't even understand how JavaScript locally works...

HawkMan said,


So you're claiming tech knowledge, but you don't even understand how JavaScript locally works...


It has nothing to do with javascript, the redirection to a specific page on hotmail was done REMOTELY not locally.
I've just tried that account again just now, logs in to the normal URL fine and I get redirected to https://account.live.com/Password/Update?ru=<redacted>; and am greeted with;
'Your password is too easy to guess
Your current password is on a list of passwords that hackers frequently try to use. Create a new one to help keep your account secure.'

So once again, you're claiming knowledge about something you have ###### all experience of, try again;

And ? this could still be done locally, heck even then it doesn't mean the password is stored and sent open text, which you should be well aware off. they just need to know what your easy to guess passwords looks like hashed and or encrypted.

HawkMan said,
And ? this could still be done locally, heck even then it doesn't mean the password is stored and sent open text, which you should be well aware off. they just need to know what your easy to guess passwords looks like hashed and or encrypted.

It is not done locally, or do I have to send you to the no$cript website?

HawkMan said,
Wow.

So not only did you not start the topic I referred to before, you know the answer and that you are wrong about the password stored as plain text.

you're simply trolling in this thread....

http://www.neowin.net/forum/to...re-passwords-in-plain-text/

really should report for trolling...


You can read, can't you? I addressed that here;
n_K said,

Either they store password in plain text or you submit them in plain text and they process them in plain text.
And hawkman as for the coder, I'm sure if everything they did was on the real hotmail system, they'd have seen all the NSA extras.

Read your own thread again. it would only be SENT plain text when you make a new password the first time over https.

so again, you're trolling and you know you're wrong.

NSA extras... :rolleyes: grow up.

HawkMan said,
Read your own thread again. it would only be SENT plain text when you make a new password the first time over https.

so again, you're trolling and you know you're wrong.

NSA extras... :rolleyes: grow up.


Read this discussion again, no-where have I mentioned changing my password, I've said (multiple times I might add) I get a redirect when I LOG IN.

IT _IS_ sent plain text, over SSL.

n_K said,

Read this discussion again, no-where have I mentioned changing my password, I've said (multiple times I might add) I get a redirect when I LOG IN.

IT _IS_ sent plain text, over SSL.

In which case they already know you have an insecure password and your account is flagged with that until you change it.

You're also ignoring all the other ways they can know you have an insecure passwords without reading your actual passwords... STILL something that was even informed you in that thread so you still know you're arguing about stuff you can't prove or back up and know is false.

HawkMan said,

In which case they already know you have an insecure password and your account is flagged with that until you change it.

You're also ignoring all the other ways they can know you have an insecure passwords without reading your actual passwords... STILL something that was even informed you in that thread so you still know you're arguing about stuff you can't prove or back up and know is false.


They are possible reasons, or - you've yet to work this one out yet - they store passwords in plain text.
None of the options can be proved or said they are wrong. I don't know, the guy in thread doesn't know and you certainly don't know.

HawkMan said,
Actually we do know since you can't request your password back.

No, that's common sense to not allow you to ask for what your password is.
Are you just playing stupid or what?
'hi i am logged in please tell me my password....'

n_K said,

No, that's common sense to not allow you to ask for what your password is.
Are you just playing stupid or what?
'hi i am logged in please tell me my password....'

Now you're just being dense on purpose...

FloatingFatMan said,
Surely most people would have changed their passwords by now? I mean, the hack even hit mainstream news services like the BBC...

The problem isn't logins/passwords. It's full names, addresses and dates of birth. Which is enough to get past security at most places.

Most people haven't got time to do it in a timely manner even if they somehow heard it on news services (and even only if they actually do).

In other words - most people wouldn't have heard, no.

For anybody that hasn't changed their password, Ebay is forcing them to enter their email address and then change the password. So basically the info being sold is worth nothing.

I'm sure that same eBay password for most users would also get them straight into their Paypal, Gmail, Amazon and pretty much any other site on the internet.

not me. though i better go change amazon soon. since it is very similar. LOL


if they see one, they see one, and god forbit figure out 2... they can crack my whole code....


i better write a will and get my affairs in order.

Edited by panacea, Jun 2 2014, 1:44am :