If you have an eBay account, keep an eye on it

[Edwin Santos]

My eBay account was hacked recently. In talking with their CSR, it sounds like there is a lot of it going on right now.

If you have an eBay account, turn on two factor authentication so your physical cell phone will be required to collect the one-time code to log in to your account. A bit of a pain yes, but two factor authentication makes it remarkably more difficult for a hacker to get to your account, in my case it prevented the eBay hacker from getting in to my Apple account despite the fact that I naively used the same password for Apple and eBay.
It's a good idea to use two factor authentication for as many of your accounts as you can.

Make sure the password you use for your eBay account is not used for any other account associated with the email address you use for eBay. Luckily for me, I use a different password for Paypal from the one I use for eBay, and the hacker was able to load up my shopping cart with gift cards, and about $1000 of other stuff, but could not check out because he needed my Paypal password and didn't have it.

As complicated as it can get, it's a good practice to use different passwords for all your accounts if you are able to manage it. They make password vault software to help keep track of numerous passwords.

I hope my recent experience saves someone else some grief.

Edwin

[Malcolm Schweizer]

That is scary- thank you for sharing. I go to eBay for everything. I keep separate passwords for banking, ebay, forums, etc. So does this mean that eBay was hacked, or did they get your information from some other hack, like an email server hack?

[Edwin Santos]

That is scary- thank you for sharing. I go to eBay for everything. I keep separate passwords for banking, ebay, forums, etc. So does this mean that eBay was hacked, or did they get your information from some other hack, like an email server hack?

Hi Malcolm,
I believe the whole thing started by them hacking ebay. From there they learned my email address and have tried to access other accounts associated with my email address, like Apple, my email account itself, and a few others. They got into my email because like a fool I was using the same password that I use for ebay. I think the key is having different passwords for everything and using two factor authentication where you can. How they hacked ebay I don't know, but the CSR at ebay didn't bat an eye, so it gives me the impression this is common. I think ebay is a fraud magnet unfortunately.

It might not be a bad idea to set up a separate email address just for ebay use and segregate it from the rest of your life. That way if your ebay account is hacked, there is no connection through it to any other part of your life.

The tech support rep at my email provider told me his ebay account was hacked in a similar way, and the hacker was able to order three iPhones through it. He was reimbursed for two because he caught it before they shipped, but the one that shipped ended up being on his dime and he could not get reimbursed for it.

If they get into your email, one of the common tricks they do is to go into the account settings and add an email address they control into the auto-forward field. That way every incoming email to you also goes to them unbeknownst to you and in this way the hacker has a permanent back door. Pretty insidious.

I'm researching the pros and cons of password mangers like Keychain and LastPass. If anyone here has recommendations, please share.
Edwin

[Yonak Hawkins]

Luckily for me, I use a different password for Paypal from the one I use for eBay ... he needed my Paypal password and didn't have it.

Edwin

This is an important point. eBay wants to make it as easy to check out as possible. They want you to not have to manually log into PayPal with your password when you check out, and go straight into the PayPal account with your password they have on file. I have rejected this automatic login and make it so my inputting the password is required as, apparently, Edwin has done, as well.

[Jon Wolfe]

Thanks for all the tips guys. Edwin, I hope you have been able to fix all the account issues. I've just added the 2FA (two factor authentication) to both my ebay and my pay pal acounts and changed passwords so they aren't the same.
Thanks again.
Jon

[Kev Williams]

Ain't just ebay to worry about- back in November I had 2 different 'entities' steal over $17,000 out of our business bank account, one via phony ACH Amex payments, the other via Chase E-pay charges. Got all of it back except $700 so far. I've had CC hacks 3 times in the past, which the bank promptly caught, but never had money stolen directly from my bank accounts- which BTW can be done without passwords, the bank only needs to be convinced that I authorized the charges. Didn't used to, but I check my bank every day for 'pending transactions'.

[John K Jordan]

....but never had money stolen directly from my bank accounts- which BTW can be done without passwords, the bank only needs to be convinced that I authorized the charges. Didn't used to, but I check my bank every day for 'pending transactions'.

A few years ago I found out how insecure bank accounts can be. Someone apparently typed in their account number but accidentally left off a couple of trailing numbers so it was the same as my (shorter) account number. The bank paid their house payment from my account. They fixed it but if I hadn't caught it I would have probably been out the money.

JKJ

[Bill Carey]

I'm researching the pros and cons of password mangers like Keychain and LastPass. If anyone here has recommendations, please share.
Edwin

I have been using Dashlane for years without any problems. But I don't use the sync service because then all the passwords are "out there" so I can have them on my phone, tablet, computer,etc. I just use the desktop app and keep the password file on a thumb drive that I can remove if needs be. Dashlane will generate passwords for you and save them. And it's pretty easy to change passwords as well.

[Ted Calver]

I have been using Dashlane for years without any problems. But I don't use the sync service because then all the passwords are "out there" so I can have them on my phone, tablet, computer,etc. I just use the desktop app and keep the password file on a thumb drive that I can remove if needs be. Dashlane will generate passwords for you and save them. And it's pretty easy to change passwords as well.

We've also used Dashlane for years, sync'd among cell phones, with some passwords shared between computers. The only issue we've had is with the password generator's inability to honor specific character sets associated with many sites. For example, a site will ask that passwords contain upper case and lower case letters, numbers and at least one of the following special characters &%$#@. There is no way to enter those special characters in Dashlane's password generator so the generator is pretty useless unless you set it for just numbers and letters and manually enter the special character. It's a small but annoying fault.