EBay.com has begun sending notices out to some customers, with a warning that their accounts with the online auctioneer have been compromised. The e-mail notices tell recipients to create a new password for the service — in one case, a recipient was told to fax a copy of his driver’s license to eBay for reinstatement. EBay spokesperson Kevin Pursglove confirmed Tuesday that the online firm began sending such warning notices about three months ago, but wouldn’t say how many accounts had been compromised.
“WE HAVE REASON to believe your eBay account may have been compromised,” reads an e-mail sent by eBay to Chris Hughes. “To ensure your account is not accessed by someone other than you, we have changed the password on your account, and ask that you immediately follow these directions.”
Hughes was then pointed to a special Web page on eBay designed to allow users to change their passwords.
It’s not clear how eBay decided Hughes’ account was at risk — the firm wouldn’t say. In a note of explanation to Hughes, the company said simply “We have strong reason to believe that your account’s password has been compromised. Unfortunately, we are not able to disclose the details surrounding the investigative procedures that led us to that conclusion.”
EBay’s Pursglove compared the notice to phone calls that credit card holders sometimes receive from their banks, after a bank fraud team notices potential illegal activity on the account holder’s card.
“This is an account where we’ve noticed some tampering has occurred,” Pursglove said. “We’ve been sending these out proactively maybe for the last three months. It’s something we don’t do a lot.”
Con artists often try to “hijack” eBay accounts in order to use them for fraudulent sales. That way, the con artist can take advantage of a legitimate eBay user’s good ratings. Hijacking has been going on for years, and it can be as simple as a criminal correctly guessing an obvious password. Criminals also trick users into divulging their passwords, using spam to send out fake “please update your password” notices that include a link to a look-alike eBay site that’s really run by the con artists.
Auction watchdog Rosalinda Baldwin, who operates TheAuctionGuild.com, complimented eBay on its efforts to intervene before fraud takes place.
“That is a good thing. Pat eBay on the back,” she said. “All they’re doing is changing the password, protecting the account, and as long as they immediartely respond to fix it, it’s a good thing. I like when my credit card company calls me (with a fraud alert).”
OTHER ACCOUNTS COMPROMISED? The warning Hughes received from eBay was a bit ominous, suggesting that a computer criminal somehow obtained his actual password. If true, that would probably give a criminal access to a variety of the victim’s accounts, since most surfers use the same password for their various accounts.
“If your old eBay password was also the password for any other online account you use (Paypal, Billpoint, etc.), immediately change those passwords as well,” the note read.
On the other hand, a response Hughes received after a complaint to eBay’s fraud team seems to contradict that recommendation.
“We assure you that our action was in the best interest of the safety of your account. Also, please understand that this is an isolated incident and will not affect eBay in general or other accounts you may have outside of eBay with the same password,” the note said.
Hughes claims he knows four others who received the note in the past week. One was an acquaintance from Denmark, who received a slightly different warning:
“Due to eBay site security measures, we recently had to remove your information from our site. We sincerely apologize for this inconvenience. To have your account restored, please send a faxed copy of your driver’s license, a valid phone number, and your eBay user ID to (eBay).”
The incident remains a mystery to Hughes, who says he used his eBay account only sparingly for the past year, and can see no evidence of fraudulent activity.
EBay is a frequent target of fraud complaints, but the firm says only a tiny fraction of the 7 million items for sale are fraudulent.