So, my eBay account has been hacked. I found out while I am on holidays in Germany when I received a couple emails from both eBay and PayPal saying I have 1) bid on, 2) won and 3) paid for an iPad 2 from 2 different sellers.

Each transaction went through my eBay account as if I had made the deal. The funds have been taken from my PayPal account which is linked to my bank account. Before any bids where placed, I received an email from PayPal saying that a credit card number I have on file has been removed from my PayPal account, which I never did.

For each transaction, the hacker (posing as me) emailed the seller and asked NOT to send to the Calgary address which is my confirmed/registered PayPal address but rather some address in Chicago. The first seller refused to send to an alternate address and that iPad is on its way to Calgary as per the tracking number. The second seller has not as smart and sent it to the Chicago address.

I have opened up a dispute for each case with PayPal providing as much info as I could.

Since my PayPal is linked to a bank account I never use, the following happened. The first transaction bounced, resulting in the amount not actually coming out of my account, but causing an NSF fee of $42. The second transaction, despite there being insufficient funds, has been taken out, leaving a several hundred dollar negative balance in my account.

So, if I was to guess what may happen, it would be that the first iPad that was shipped to Calgary, but not actually paid for, will arrive, and I should be able to return it to the seller for a refund, or keep it (which I have no use for). The second iPad which was sent to Chicago is all on the seller. I should receive my money back from PayPal since the product was sent to a non-verified address (as verified by the tracking number) and the seller is SOL (not that I care too much, but it sucks for him).

Should I contact the seller's at all and explain what happened, or leave it all to PayPal and their dispute center?

All my passwords have since been changed - too little to late, but hopefully it helps in the future.

Anything else I can do in the meantime? Would the bank be able to help? Freeze funds leaving the account? I bank with TD. Anyone have any experience with this?

Thanks.

Call the fraud dept of the credit card and your bank.
Paypal is useless.Seller is going to call B.S let paypal handle that end.

Any idea on how it was hacked? I hear about this happening on a semi-regular basis, but I'm curious to know how it's being done.

You seriously don't know? People use the same password for multiple things so once someone signs up on your website and provides their email address as a login, they have access to all your email which probably contain more passwords. They cross reference that with Paypal addresses / Ebay and log into those.

rage2 has access to about 60,000 identities right now should he choose to abuse them, I have the same access on my forum. All I would have to do is write a md5 script to unencrypt the passwords.

Here's a comic from one of my favourite websites:

http://cache.gawkerassets.com/assets/images/17/2010/09/500x_xkcd_passwords2.jpg

Couple of things to avoid in the future, for others:

Never have a bank account linked to your PP. Remove it once your done using it.

Paypal and banks are useless if something goes bad with the transaction after 45 days whereas credit cards will be able to refund your money still.


The password thing mentioned earlier is so true. Most people have one or two passwords for everything. One solution for this is the PayPal/Ebay one time keypass code generator which adds another layer of security.

It costs $5 (onetime) if I recall.

Can't they tell who did it based on the address it's being shipped to? Even if it's a po box it's still registered

I reuse passwords for forums but bank, ebay, paypal etc - they are all one shot.

But now so many people keep an unencrypted password file on their phone, when someone gets that they get everything.

Ouch. That sucks Justin.
Sounds like your renters will get a nice surprise Ipad!

i got an emal from paypal saying that someone bid and won on something i was selling. ive never sold anything on ebay before. i dunno what that was, but i checked paypal and no activity. wierd stuff.

I am not sure how it was hacked, I haven't signed into new forums or anything that would have the same user info. At first I thought i may have been a fishing scam with a fake email from eBay, but when I logged into my eBay account, the email trail to the sellers was there, so it was a real deal.
I will call the bank today (assuming they are open on Easter Monday?).

A bank account wont do anything. You will have to go through paypal. The bank will tell you that you allowed Paypal access to your account so they are not responsible and there is nothing you can do.

LOL Yeah forums and other useless sites have a 3 or 4 reused passwords but bank, Paypal, and credit cards each have a totally unique password. Probably 12 total passwords to remember. I'd really like to know how the account was hacked as well.

So I guess OP will have an iPad for sale soon?

Originally posted by Cos
A bank account wont do anything. You will have to go through paypal. The bank will tell you that you allowed Paypal access to your account so they are not responsible and there is nothing you can do.

I've actually had my bank fix everything with my account after Paypal took out $400 unauthorized. Just had to fill out a short form or two.

Originally posted by Gooseberry


I've actually had my bank fix everything with my account after Paypal took out $400 unauthorized. Just had to fill out a short form or two.

Yeah, basically just a short affidavit stating that you didn't authorize the funds blah, blah, blah.

Do people use Paypal mostly for stuff on eBay or other online trading such as forums? I'm going to be removing my bank account info as soon as possible.

Originally posted by Gooseberry


I've actually had my bank fix everything with my account after Paypal took out $400 unauthorized. Just had to fill out a short form or two.

My mistake learn something new every day.

I love beyond. Rather than talking to paypal, the bank, the sellers, etc. and getting your shit straightened out.

Post it here instead! We are all so omnipotent that we can answer ALL your questions.

Originally posted by DeeK
I love beyond. Rather than talking to paypal, the bank, the sellers, etc. and getting your shit straightened out.

Post it here instead! We are all so omnipotent that we can answer ALL your questions.

Every once and awhile somebody comes up with a stroke of genius.

None of my forum log-ins match my banking ones.
I have talked with PayPal already, not just Beyond, but thanks.
Trying to contact a bank, but not having internet and a 6 hour time difference, plus the holidays have made it harder than usual.

Lesson learned so far - don't link your bank accounts to PayPal, I believe a CC would be much easier and willing to help you dispute the charges.

Final Update:

Both disputes with PayPal were resolved, both resulting in a full refund for the unauthorized activities on my account. There was a bit of a discrepancy that resulted from the exchange rates changing over the course of this ordeal which caused a negative balance of $20 on my PayPal account, but after two phone calls to them, PayPal credited that amount as well (it was never an argument, they said they would right away).

I talked to my bank and they were able to give me one of the NSF amounts back, but not both. Apparently, TD is allowed to issue one NSF credit per year - that's what the guy said, and 1 is better than none.

All in all, I received one iPad I didn't order and had to pay $40 in duty and $42.50 in an NSF fee. But it was 100% not worth the hassle I had to go through.

If I was to guess, the one seller who decided to send to an unconfirmed address (the Chicago one) is shit out of luck.

The other seller who sent it to Calgary - I'm not sure if PayPal will give him his money back or what happened. I know the tracking number he supplied gave a 'no results' when checked with USPS, so maybe that is why I was able to win the dispute?

:thumbsup: to PayPal for stepping up on this one, though I am quite hesitant to keep my account open.

Also, passwords are now different for eBay and PayPal, and the accounts linked in PayPal are not valid anyway (old bank account, old credit card).

Hopefully no one else here has to go through this shit.

so you got a free iPad??

He should try to find the seller and return the iPad *IF* the seller can prove he is out his cash and his iPad.

Or, the more obvious choice, claim it never arrived and sell it on Kijiji.

hopefully the one in calgary can get his money back and you could send your ipad to the one who shipped to chicago.