Forum Thread

BestBuy gift card bought from PayPal through Ebay showing 0 balance

DFamas 507 60 September 10, 2016 at 11:27 PM
Deal
Score
+3
1,716 Views

Thread Details

I bought a gc early last month. I go to use it today and notice the balance is 0. I thought maybe I had used it but I was sure I did not. Checked my BB order history and no orders were placed after the date which I bought it from Ebay. Anyone else have this happen to them? Who did you contact BB or EBay/PayPal?
If you purchase something through a post on our site, Slickdeals may get a small share of the sale.

Community Wiki

Last Edited by dreamsINdigital September 24, 2016 at 06:33 PM
The issue is that PayPal Digital Gifts mistakenly allowed gift card claim pages to be indexed by search engines. This allowed anyone to search for those pages and use the gift card codes before the owners did. There are confirmed reports of stolen gift cards dating back to June 2016 at least. If you bought a gift card from PayPal Digital Gifts on eBay, use the balance immediately!

Contact for PayPal Digital Gifts [paypal-gifts.com]

Additional info:

36 Comments

1 2 3

Sign up for a Slickdeals account to remove this ad.

Joined Dec 2010
L8: Grand Teacher
3,501 Posts
1,939 Reputation
#3
Nothing to do with BB or Ebay as they wouldn't do much about it except providing you with the information when and where is the gift card is used. Contacted Paypal to resolve this and asked to speak to their gift card department. Rumor said that PPGCs have been hacked and many gift cards were stolen that is why they shut down their site for a few days.
Reply Helpful Comment? 0 0
#4
There was a thread about this last week but with Target gift cards. Can't find it now, but I know ive seen other threads with people having the same issue.
Reply Helpful Comment? 0 0
#5
SVM gift cards sold on eBay have also gotten hacked - a Circle K card I bought from them was depleted a week before I tried using it. They claim they are just a third party reseller and referred me to Circle K customer service, who is now "investigating". At this point I can't say if the hack was at SVM or Circle K, but I'm done buying gift cards on eBay. I would recommend others do the same.
Reply Helpful Comment? 0 0
#6
Quote from mosd88 View Post :
SVM gift cards sold on eBay have also gotten hacked - a Circle K card I bought from them was depleted a week before I tried using it. They claim they are just a third party reseller and referred me to Circle K customer service, who is now "investigating". At this point I can't say if the hack was at SVM or Circle K, but I'm done buying gift cards on eBay. I would recommend others do the same.
So you had a physical Circle K gift card from SVM depleted after you received it? I thought that physical cards were a lot safer.
Reply Helpful Comment? 0 0
#7
Quote from agentstryker909 View Post :
So you had a physical Circle K gift card from SVM depleted after you received it? I thought that physical cards were a lot safer.
Yes that is exactly what happened, about 14 weeks after I received them. As for physical cards being safer... well... when SVM sends you the cards, they are glued to a "thank you" letter which has the card number on it. So their computers are holding the card number at some point. Circle K cards don't have a PIN, which means if those computers are hacked then I imagine that if you have the card number, blank cards, and the right knowledge and the right equipment its very easy to encode your own. At this point I don't know whether SVM or Circle K systems were compromised. I'm still trying to find out which Circle K this card was emptied at... not getting any help on that from SVM and very little help from Circle K at this time.
Reply Helpful Comment? 0 0
Last edited by mosd88 September 11, 2016 at 09:09 AM
#8
Quote from mosd88 View Post :
Yes that is exactly what happened, about 14 weeks after I received them. As for physical cards being safer... well... when SVM sends you the cards, they are glued to a "thank you" letter which has the card number on it. So their computers are holding the card number at some point. Circle K cards don't have a PIN, which means if those computers are hacked then I imagine that if you have the card number, blank cards, and the right knowledge and the right equipment its very easy to encode your own. At this point I don't know whether SVM or Circle K systems were compromised. I'm still trying to find out which Circle K this card was emptied at... not getting any help on that from SVM and very little help from Circle K at this time.
I am sitting on a ton of SVM gas gift cards for Circle K, 76, and ConocoPhillips. I haven't had problems using them over the past 6+ months. I wonder if I can convert these gift cards over to new gift cards at the gas stations?
Reply Helpful Comment? 0 0
Joined Nov 2014
L10: Grand Master
8,421 Posts
1,531 Reputation
Pro
#9
Simple solution. The second you get your ebay GC, use it to buy something dirt cheap. Then it's locked to your account and no one can five finger it.

As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Reply Helpful Comment? 0 0

Sign up for a Slickdeals account to remove this ad.

Joined Dec 2010
L8: Grand Teacher
3,501 Posts
1,939 Reputation
#10
Quote from ghostofposterspast View Post :
Simple solution. The second you get your ebay GC, use it to buy something dirt cheap. Then it's locked to your account and no one can five finger it.

As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Doubt that for Paypal, it happened to multiple types of gift cards such as itunes, BB, target etc.
Reply Helpful Comment? 0 0
#11
Quote from agentstryker909 View Post :
I am sitting on a ton of SVM gas gift cards for Circle K, 76, and ConocoPhillips. I haven't had problems using them over the past 6+ months. I wonder if I can convert these gift cards over to new gift cards at the gas stations?
Yup I had a bunch too, various brands so I could "GasBuddy" the cheapest one at any given time. Gonna work through what I have left and that's that. $100 lost wipes out pretty much all the savings from every card I ever bought.
Reply Helpful Comment? 0 0
Joined Nov 2004
L10: Grand Master
6,471 Posts
1,597 Reputation
#12
Quote from ghostofposterspast View Post :

I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Paypal gifts had a fail robots.txt file that allowed search engines to index the "here is your PayPal gift card" pages. "Hackers" simply read the GC and email info off the cache of search engines like google. This is for digital GCs obviously.
Reply Helpful Comment? 0 0
Last edited by DeltaMajor156 September 13, 2016 at 04:55 AM
Joined Nov 2014
L10: Grand Master
8,421 Posts
1,531 Reputation
Pro
#13
Quote from DeltaMajor156 View Post :
Paypal gifts had a fail robots.txt file that allowed search engines to index the "here is your PayPal gift card" pages. "Hackers" simply read the GC and email info off the cache of search engines like google. This is for digital GCs obviously.
But regardless of the robots.txt, they should have an .htaccess that forbids access to those directories. Since robots.txt or not, anyone can simply browse into those directories and look at the pages.
Reply Helpful Comment? 0 0
Joined Nov 2004
L10: Grand Master
6,471 Posts
1,597 Reputation
#14
Quote from ghostofposterspast View Post :
But regardless of the robots.txt, they should have an .htaccess that forbids access to those directories. Since robots.txt or not, anyone can simply browse into those directories and look at the pages.
Not sure what it all means, just repeating some things I've read recently. What do you make of this?


Code:
https://www.google.com/?gws_rd=ssl#q=site:paypal-gifts.com+Here%27s+your+Gift+Card&filter=0
Reply Helpful Comment? 0 0
Joined Nov 2014
L10: Grand Master
8,421 Posts
1,531 Reputation
Pro
#15
Quote from DeltaMajor156 View Post :
Not sure what it all means, just repeating some things I've read recently. What do you make of this?


Code:
https://www.google.com/?gws_rd=ssl#q=site:paypal-gifts.com+Here%27s+your+Gift+Card&filter=0
A robot.txt file is only a request that spiders/indexers don't index that directory. It's like putting up a no trespassing sign. Just like a no trespassing sign, nothing keeps someone from going in if they choose to ignore it. You need security for that. Either to keep them off your property or to keep them out of your directory. That's what .htaccess does. Do you think a simple no trespassing sign will keep people who would steal codes out? Just because google doesn't index it, doesn't mean it doesn't exist.
Reply Helpful Comment? 0 0
Page 1 of 3
1 2 3
Join the Conversation
Add a Comment
 
Copyright 1999 - 2016. Slickdeals, LLC. All Rights Reserved. Copyright / Infringement Policy  •  Privacy Policy  •  Terms of Service  •  Acceptable Use Policy (Rules)  •  Interest-Based Ads
Link Copied to Clipboard