- Joined
- Feb 11, 2009
- Messages
- 23,131
- Reaction score
- 18,807
- Location
- NJ (The nice part)
- Guild Total
- 112
I posted this in an Online Offerings thread and though it would be useful in a more public area. There is a widely held misconception about modern "hacking". For the record, "hacking" is using finding vulnerabilities or backdoors in systems using intelligence, knowledge, coding ability, and a pile of other skills that most modern "hackers" know nothing about. Real hackers are out there, though! Most of the really big data breaches are due to them, though traditionally a real hacker would call them crackers because traditionally hackers didn't really cause harm.
Anyway, here's the info:
Ebay is not hacked. What you're seeing is bots that are creating listings.
The "hacking" is a result of users who use the same passwords everywhere then don't change their passwords after reading in the news that there's been a major data breach that affects 2.7 million customers, etc.
BTW this is was 99% of "hacking" is: taking advantage of people who use the same password everywhere and never change them.
Here's how it works:
And yes, people still have PASSWORD as their passwords - especially users who have had accounts for 15 years. Smart companies disable the accounts and force a PW change. Not all companies are smart.
Hacker-wannabe-script-kiddie (let's call him Zippy) writes (or more likely downloads) a script that takes that list and then uses it to try and log into every major website in the world. If you can name a website, Zippy's tried to get in. How does Zippy know all the big websites? He downloaded a list.
Now the script takes the list of websites and systematically applies the list of username/passwords:
Apple.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Baidu.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
CNN.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Ebay.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Facebook.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Reddit.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Netflix.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
If there are no login limit controls (rare today) then the script can try 1000s of users per minute. Maybe even per second. But Zippy doesn't need speed. Why? Because he has a list of already hacked systems (that he freaking downloaded) and he puts bots on 1000 compromised systems on the Internet. Now he has 1000 systems attacking 10,000 websites and reporting back when they get a working login.
Zippy leaves his bots while he spends the weekend doing whatever it is hacker-wannabe-script-kiddies do with their downtime (likely yelling obscenities at other players on Xbox Live). At the end of the weekend he checks his mail/log/system/whatever and has a report with literally hundreds of successful logins on the world's most well-known webservers.
He then either uses them or sells them, usually for gift cards, crypto, or some other untraceable replacement for money, and then just repeats the process.
This can be done from anywhere in the world at any time, and it is very difficult to stop.
Anyway, here's the info:
Must be done by a bot...seems to be showing 49,000 + results = 'listings' by that 'account'
EBay is REALLY hacked majorly this time...wonder if they need to close down the site to clean it up...
@GAD, is it safe to post Ebay listings on here until this is resolved? Could clicking on a link spread that 'illness' to here? Just wondering.
Ebay is not hacked. What you're seeing is bots that are creating listings.
The "hacking" is a result of users who use the same passwords everywhere then don't change their passwords after reading in the news that there's been a major data breach that affects 2.7 million customers, etc.
BTW this is was 99% of "hacking" is: taking advantage of people who use the same password everywhere and never change them.
Here's how it works:
- Twitter gets hacked and confirms that 5.4 million accounts were "stolen". This actually happened in 2022. This was an actual hack (probably - could have been social engineering, a disgruntled employee, or any of a number of other non-actual-hacking events, but let's say for now that they were hacked.
- Hackers take the lists of 5.4 million accounts and do three things with them:
- Try to use the info to get deeper into Twitter
- Sell or more likely just publish the list to the dark web (ooooh scary)
- Use the account information to compromise other accounts on other systems. *This* is what you're seeing on Ebay
Code:
USER PASSWORD
Alfred PASSWORD
Bob 123456
Charles P@SSWORD
Diane Mary
Effram jesb2#489
Frank 112199
GAD *#^@0h2#98
...
And yes, people still have PASSWORD as their passwords - especially users who have had accounts for 15 years. Smart companies disable the accounts and force a PW change. Not all companies are smart.
Hacker-wannabe-script-kiddie (let's call him Zippy) writes (or more likely downloads) a script that takes that list and then uses it to try and log into every major website in the world. If you can name a website, Zippy's tried to get in. How does Zippy know all the big websites? He downloaded a list.
Now the script takes the list of websites and systematically applies the list of username/passwords:
Apple.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Baidu.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
CNN.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Ebay.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Facebook.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Reddit.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Netflix.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
If there are no login limit controls (rare today) then the script can try 1000s of users per minute. Maybe even per second. But Zippy doesn't need speed. Why? Because he has a list of already hacked systems (that he freaking downloaded) and he puts bots on 1000 compromised systems on the Internet. Now he has 1000 systems attacking 10,000 websites and reporting back when they get a working login.
Zippy leaves his bots while he spends the weekend doing whatever it is hacker-wannabe-script-kiddies do with their downtime (likely yelling obscenities at other players on Xbox Live). At the end of the weekend he checks his mail/log/system/whatever and has a report with literally hundreds of successful logins on the world's most well-known webservers.
He then either uses them or sells them, usually for gift cards, crypto, or some other untraceable replacement for money, and then just repeats the process.
This can be done from anywhere in the world at any time, and it is very difficult to stop.
Last edited: