SlickdealsForumsDeal TalkPSA: Check your balance for PayPal Digital Gifts bought from Ebay. Your digital gift cards might have been comprimised and have an 0 balance.
PSA: Check your balance for PayPal Digital Gifts bought from Ebay. Your digital gift cards might have been comprimised and have an 0 balance.
+30Deal Score
77,351 Views
I bought a Best Buy gc in early August. I went to use it today and notice the balance is 0. I thought maybe I had used it but I was sure I did not. Checked my BB order history and no orders were placed after the date which I bought it from Ebay. Anyone else have this happen to them? Who did you contact BB or EBay/PayPal?
-----------
Updated thread title to be more descriptive.
If you purchase something through a post on our site, Slickdeals may get a small share of the sale.
Deal Score+30
77,351
Views
Community Wiki
Last Edited by theST0RM
January 26, 2017
at
08:16 AM
The issue is that PayPal Digital Gifts mistakenly allowed gift card claim pages to be indexed by search engines. This allowed anyone to search for those pages and use the gift card codes before the owners did. There are confirmed reports of stolen gift cards dating back to March 2016 at least. If you bought a gift card from PayPal Digital Gifts on eBay, use the balance immediately! PayPal Facebook group sent user a message saying "the issue" affected cards purchased between May 4 and August 31.
LIST OF LOCATIONS WHERE GIFT CARDS WERE USED (per Best Buy customer service):
Hialeah FL Best Buy (http://stores.bestbuy.com/fl/hial...e-555.html) on 10/1/2016. $75 worth of GCs purchased 6/30/2016.
Roseville Ca Best Buy 15 $100 gift cards were used to buy a $1500 BB gift card on 9/15/16.
Nothing to do with BB or Ebay as they wouldn't do much about it except providing you with the information when and where is the gift card is used. Contacted Paypal to resolve this and asked to speak to their gift card department. Rumor said that PPGCs have been hacked and many gift cards were stolen that is why they shut down their site for a few days.
There was a thread about this last week but with Target gift cards. Can't find it now, but I know ive seen other threads with people having the same issue.
SVM gift cards sold on eBay have also gotten hacked - a Circle K card I bought from them was depleted a week before I tried using it. They claim they are just a third party reseller and referred me to Circle K customer service, who is now "investigating". At this point I can't say if the hack was at SVM or Circle K, but I'm done buying gift cards on eBay. I would recommend others do the same.
SVM gift cards sold on eBay have also gotten hacked - a Circle K card I bought from them was depleted a week before I tried using it. They claim they are just a third party reseller and referred me to Circle K customer service, who is now "investigating". At this point I can't say if the hack was at SVM or Circle K, but I'm done buying gift cards on eBay. I would recommend others do the same.
So you had a physical Circle K gift card from SVM depleted after you received it? I thought that physical cards were a lot safer.
So you had a physical Circle K gift card from SVM depleted after you received it? I thought that physical cards were a lot safer.
Yes that is exactly what happened, about 14 weeks after I received them. As for physical cards being safer... well... when SVM sends you the cards, they are glued to a "thank you" letter which has the card number on it. So their computers are holding the card number at some point. Circle K cards don't have a PIN, which means if those computers are hacked then I imagine that if you have the card number, blank cards, and the right knowledge and the right equipment its very easy to encode your own. At this point I don't know whether SVM or Circle K systems were compromised. I'm still trying to find out which Circle K this card was emptied at... not getting any help on that from SVM and very little help from Circle K at this time.
Yes that is exactly what happened, about 14 weeks after I received them. As for physical cards being safer... well... when SVM sends you the cards, they are glued to a "thank you" letter which has the card number on it. So their computers are holding the card number at some point. Circle K cards don't have a PIN, which means if those computers are hacked then I imagine that if you have the card number, blank cards, and the right knowledge and the right equipment its very easy to encode your own. At this point I don't know whether SVM or Circle K systems were compromised. I'm still trying to find out which Circle K this card was emptied at... not getting any help on that from SVM and very little help from Circle K at this time.
I am sitting on a ton of SVM gas gift cards for Circle K, 76, and ConocoPhillips. I haven't had problems using them over the past 6+ months. I wonder if I can convert these gift cards over to new gift cards at the gas stations?
Simple solution. The second you get your ebay GC, use it to buy something dirt cheap. Then it's locked to your account and no one can five finger it.
As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Simple solution. The second you get your ebay GC, use it to buy something dirt cheap. Then it's locked to your account and no one can five finger it.
As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Doubt that for Paypal, it happened to multiple types of gift cards such as itunes, BB, target etc.
I am sitting on a ton of SVM gas gift cards for Circle K, 76, and ConocoPhillips. I haven't had problems using them over the past 6+ months. I wonder if I can convert these gift cards over to new gift cards at the gas stations?
Yup I had a bunch too, various brands so I could "GasBuddy" the cheapest one at any given time. Gonna work through what I have left and that's that. $100 lost wipes out pretty much all the savings from every card I ever bought.
I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Paypal gifts had a fail robots.txt file that allowed search engines to index the "here is your PayPal gift card" pages. "Hackers" simply read the GC and email info off the cache of search engines like google. This is for digital GCs obviously.
Paypal gifts had a fail robots.txt file that allowed search engines to index the "here is your PayPal gift card" pages. "Hackers" simply read the GC and email info off the cache of search engines like google. This is for digital GCs obviously.
But regardless of the robots.txt, they should have an .htaccess that forbids access to those directories. Since robots.txt or not, anyone can simply browse into those directories and look at the pages.
But regardless of the robots.txt, they should have an .htaccess that forbids access to those directories. Since robots.txt or not, anyone can simply browse into those directories and look at the pages.
Not sure what it all means, just repeating some things I've read recently. What do you make of this?
A robot.txt file is only a request that spiders/indexers don't index that directory. It's like putting up a no trespassing sign. Just like a no trespassing sign, nothing keeps someone from going in if they choose to ignore it. You need security for that. Either to keep them off your property or to keep them out of your directory. That's what .htaccess does. Do you think a simple no trespassing sign will keep people who would steal codes out? Just because google doesn't index it, doesn't mean it doesn't exist.
603 Comments
Sign up for a Slickdeals account to remove this ad.
As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Sign up for a Slickdeals account to remove this ad.
As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.