Fraudulent Activity

Annoyed · Guest

Just recieved the following alert from Experian who I have along with a credit ref account a fruad monitor in place.

Yesterday I signed up to Gixen for the first time and I signed up to no other new services and I received the following this morning.

Other be warned there is a serious potential that Gixen are selling your ebay logins whether as a company or whether it is an individual within your company. I suggest you get your house in order. I now have to go and change a lot of passwords. Thanks for that.

High Risk Alert

Your email address and password are being illegally published and sold online.

What have we found? Your email address xxxxxxxxxxxxx and the password you use to access it Why do I need to know?
They are being sold together online by illegal black market communities. This puts you at high risk of becoming a victim of fraud.

More details and what to do next
Date Found: 21/05/15

mario · Site Admin Joined: 03 Oct 2006 Posts: 7241

Annoyed,

There is only one person with access to user information, and that's me. I haven't, and I am not going to, sell or disclose any user information to anyone. I also have extensive measures in place to prevent anyone from breaking into Gixen's servers, as well as measures to detect that in a highly unlikely event it happens.

Truth be told, I am highly annoyed when accusations such as yours happen, as they are highly damaging - I have been building my users' trust for years. I have never even sent a single promotional email that may be seen as spamming, and I ask users for bare minimum of information needed to use the service. Email is not part of it - it's entirely optional if you enter it or not, and this is only needed for notifications.

Annoyed · Guest

Just words I am afraid.

It may not have been deliberate, but are you 100% sure that where you hold our infomation is 100% secure.

I work in IT and I am very very careful about what I use on the internet I researched GIXEN and read through this forum and that is why i trusted the site in the first place as it seemed to be above board.

However given the care I take online and the fact that I have not signed up to any other websites in the last 3-4 months with that username password combination it strikes me as a co-incidence.

How am i so sure, well I use a hierachy of usernames and passwords. FOr forum and low risk stuff I have one combination. Then for Social media a second and finally for ebay paypal and banking I have seperate ones that I only use for those.

THis seperation leads to me to be fairly sure that taking the co-incidence into consideration that the leak whether deliberate or accidental happened here.

Granted someone could have hacked Ebay but I think it would have been public knowledge by now.

I logged into your website on a highly secure company network where I work.

So you can say its a false accusations but it has not been arrived at lightly

stib · Guest

Sorry, you say you have access to the usernames and contact details? Why aren't these hashed? That seems to be just asking for trouble

Gixen · Advertisements

mario · Site Admin Joined: 03 Oct 2006 Posts: 7241

Annoyed,

I have many years of experience specifically in IT security software. I am not saying that it's impossible, as one can never say this, but it's highly unlikely to happen. But what I can say for sure is impossible is that this happens without me noticing.

Please email me and include your ebay username. I will go through all the logs to see if I can find anything that is suspicious - specifically I would like to check if anyone logged in to your Gixen account from a place other than your home location.

As for eBay, you know that eBay was indeed hacked in May of 2014? Have you changed your ebay password since then?

mario · Site Admin Joined: 03 Oct 2006 Posts: 7241

Ramona · Guest

Annoyed - have you done a thorough malware scan on every PC that you have used to access eBay with (and not just the one that you accessed Gixen with)? It's possible that you have picked up a Man-In-The-Browser attack which has compromised your eBay authentication credentials.

Have you ever used a wireless network, other than one that you control, to access eBay? If so, you may have succumbed to an Evil Twin attack.

Have you actually verified the information that Experian provided? They do have a vested interest in using scare tactics to persuade you to use their services. And the sentence "Your email address and password are being illegally published and sold online." makes absolutely no sense - if they are published, then how could they also be sold? And is it really illegal to publish or sell address/password information? If so, under what legislation (and in what jurisdiction was it being sold)? Are you sure that the email was genuinely from Experian? Were they able to tell you which email address and password was being published/sold?

Even if there was a compromise at the Gixen end (which, based on the research that I did before joining, as well as Mario's focus on security, I think is highly unlikely), I would be very surprised if the perpetrator could get your details published on a web site, and Experian find them there, and then notify you, all within the space of a day. Things just don't happen that quickly, which makes me think that the compromise happened elsewhere (if at all).