Last week, my wife was surprised when she attempted to check her Yahoo email and was informed that her password was incorrect. She had never changed it. She called me up to ask for help. I tried logging in to her account and got the same results. At first I thought maybe it was a server problem, so I tried logging on to my own Yahoo account. No problem. It appeared that her account had been hijacked. I advised her to try to contact Yahoo to resolve the problem, and we got off the phone.
A few minutes later she called me back. She wasn't able to log on to eBay either. This was serious. I came home early so we could figure out what was going on. Charlotte's attempts at recovering her account through eBay and Yahoo's password recovery wizards failed; the hacker had changed her personal information, on both accounts. While Charlotte tried to track down customer support phone numbers for both sites, I wondered why anyone would want to steal another person's eBay account- or email for that matter. I discovered my answer when I searched eBay for auctions held under my wife's ID. This person was selling 2 brand new Dell laptops with Charlotte's account, with a starting bid of $1.00- and bidders were already fighting for them.
Interestingly, further down the auction pages, the graphic that contained photos of the laptops said that the seller would only accept payment by Western Union (not a common eBay payment method) and that if people wanted to buy the computers outright for $999 they should contact the seller by email (a big eBay no-no). If potential buyers clicked the "contact seller" link, an email would be sent to Charlotte's Yahoo account, which the hacker also controlled. So it became clear- the hacker had stolen Charlotte's identity to sell laptops that were either stolen or (more likely) completely non-existent. Once the buyers discovered they'd been had, they'd be blaming Charlotte for it.
Funny enough, I wanted to complain about all this the day it happened- but Blogger actually got hacked that day too, so I couldn't even whine! Talk about helpless!
So, we found eBay's phone number pretty easily. Within about 45 minutes, the fraudulent auctions were closed, and Charlotte had her account back. Since eBay had access to our bank account via our check card, we cancelled the card (even though eBay was pretty sure the hacker had no direct access to this information- however we would have been charged listing fees for any items he would have listed).
Yahoo was a different story... their number was much harder to find, so Charlotte actually spent a couple of days dealing with their email-based customer service staff. She couldn't answer half of the verification questions they asked her (duh- because the hacker had changed her info!), so they said they didn't believe her. I eventually figured out what their phone number was, but we had to wait until Monday to call. Once she was actually able to talk to someone, they finally gave her account back to her.
She found a bunch of email from potential buyers in her Inbox, and replies from the hacker in her outbox. Naturally, most of the eBayers who wrote wanted to know why Western Union was the only method of payment. The hacker actually told them- get this- that he was travelling around Europe toting these laptops around with him, and there were Western Union offices all over Europe.
Charlotte emailed every person who had written to her to let them know what had happened. At least two of the people wrote back to thank her, and said that they didn't go through with the deal because it sounded too fishy. Well, good on them- it was!
The hacker is still at it- we found identical items listed under some other person's account yesterday. (I noticed that eBay had shut the auctions down by this morning though.)
How can you keep what happened to Charlotte from happening to you? Use a different password at EVERY web site you use. Also, pick passwords that do not have anything to do with you or the site you're logging onto, and that have combinations of letters and numbers. (Many passwords are case-sensitive. You can mix case for added security.)
How can you tell when a hacker is fraudently listing items for auction? Check the seller's other items for auction- are they very different from the item you're interested in? (Charlotte usually sells used books and CDs- it seemed strange to some people that she would be selling multiple brand new laptops. Also that other hacked user we saw last night usually sold hunting gear.) Also, limited or unorthodox forms of payment (like "Western Union only") are a good tip-off. Finally, anything in the auction that encourages you to do anything that obviously violates eBay policies, like contacting via email for an off-eBay transaction should make you very suspicious.
Surf safe and shop smart!
