Forum Thread

PSA: Check your balance for PayPal Digital Gifts bought from Ebay. Your digital gift cards might have been comprimised and have an 0 balance.

+29 Deal Score
74,867 Views
I bought a Best Buy gc in early August. I went to use it today and notice the balance is 0. I thought maybe I had used it but I was sure I did not. Checked my BB order history and no orders were placed after the date which I bought it from Ebay. Anyone else have this happen to them? Who did you contact BB or EBay/PayPal?


-----------
Updated thread title to be more descriptive.
Created 09-10-2016 at 11:27 PM by SoldierHill
If you purchase something through a post on our site, Slickdeals may get a small share of the sale.
Deal
Score
+29
74,867 Views

Community Wiki

Last Edited by theST0RM January 26, 2017 at 07:16 AM
The issue is that PayPal Digital Gifts mistakenly allowed gift card claim pages to be indexed by search engines. This allowed anyone to search for those pages and use the gift card codes before the owners did. There are confirmed reports of stolen gift cards dating back to March 2016 at least. If you bought a gift card from PayPal Digital Gifts on eBay, use the balance immediately! PayPal Facebook group sent user a message saying "the issue" affected cards purchased between May 4 and August 31.

Contact for PayPal Digital Gifts [paypal-gifts.com]

Link to eBay gift certificates associated with PayPal prior to March 2016 (login to PayPal first): https://www.paypal.com/cgi-bin/cu...-available

Additional info:File a complaint with your state's attorney general
https://oag.ca.gov/contact/consum...or-company

and the FTC
https://www.ftc.gov/complaint [ftc.gov]


LIST OF LOCATIONS WHERE GIFT CARDS WERE USED (per Best Buy customer service):
Hialeah FL Best Buy (http://stores.bestbuy.com/fl/hial...e-555.html) on 10/1/2016. $75 worth of GCs purchased 6/30/2016.
Roseville Ca Best Buy 15 $100 gift cards were used to buy a $1500 BB gift card on 9/15/16.

601 Comments

1 2 3 4 5

Sign up for a Slickdeals account to remove this ad.

This comment has been rated as unhelpful by Slickdeals users
Joined Dec 2010
L8: Grand Teacher
3,756 Posts
2,050 Reputation
#3
Nothing to do with BB or Ebay as they wouldn't do much about it except providing you with the information when and where is the gift card is used. Contacted Paypal to resolve this and asked to speak to their gift card department. Rumor said that PPGCs have been hacked and many gift cards were stolen that is why they shut down their site for a few days.
Reply Helpful Comment? 1 0
This comment has been rated as unhelpful by Slickdeals users
Joined Sep 2012
L2: Beginner
53 Posts
14 Reputation
#4
There was a thread about this last week but with Target gift cards. Can't find it now, but I know ive seen other threads with people having the same issue.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Jan 2010
L5: Journeyman
588 Posts
139 Reputation
#5
SVM gift cards sold on eBay have also gotten hacked - a Circle K card I bought from them was depleted a week before I tried using it. They claim they are just a third party reseller and referred me to Circle K customer service, who is now "investigating". At this point I can't say if the hack was at SVM or Circle K, but I'm done buying gift cards on eBay. I would recommend others do the same.
Reply Helpful Comment? 1 0
This comment has been rated as unhelpful by Slickdeals users
Joined Jul 2014
L7: Teacher
2,351 Posts
220 Reputation
#6
Quote from mosd88
:
SVM gift cards sold on eBay have also gotten hacked - a Circle K card I bought from them was depleted a week before I tried using it. They claim they are just a third party reseller and referred me to Circle K customer service, who is now "investigating". At this point I can't say if the hack was at SVM or Circle K, but I'm done buying gift cards on eBay. I would recommend others do the same.
So you had a physical Circle K gift card from SVM depleted after you received it? I thought that physical cards were a lot safer.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Jan 2010
L5: Journeyman
588 Posts
139 Reputation
#7
Quote from agentstryker909
:
So you had a physical Circle K gift card from SVM depleted after you received it? I thought that physical cards were a lot safer.
Yes that is exactly what happened, about 14 weeks after I received them. As for physical cards being safer... well... when SVM sends you the cards, they are glued to a "thank you" letter which has the card number on it. So their computers are holding the card number at some point. Circle K cards don't have a PIN, which means if those computers are hacked then I imagine that if you have the card number, blank cards, and the right knowledge and the right equipment its very easy to encode your own. At this point I don't know whether SVM or Circle K systems were compromised. I'm still trying to find out which Circle K this card was emptied at... not getting any help on that from SVM and very little help from Circle K at this time.
Reply Helpful Comment? 0 0
Last edited by mosd88 September 11, 2016 at 09:09 AM.
This comment has been rated as unhelpful by Slickdeals users
Joined Jul 2014
L7: Teacher
2,351 Posts
220 Reputation
#8
Quote from mosd88
:
Yes that is exactly what happened, about 14 weeks after I received them. As for physical cards being safer... well... when SVM sends you the cards, they are glued to a "thank you" letter which has the card number on it. So their computers are holding the card number at some point. Circle K cards don't have a PIN, which means if those computers are hacked then I imagine that if you have the card number, blank cards, and the right knowledge and the right equipment its very easy to encode your own. At this point I don't know whether SVM or Circle K systems were compromised. I'm still trying to find out which Circle K this card was emptied at... not getting any help on that from SVM and very little help from Circle K at this time.
I am sitting on a ton of SVM gas gift cards for Circle K, 76, and ConocoPhillips. I haven't had problems using them over the past 6+ months. I wonder if I can convert these gift cards over to new gift cards at the gas stations?
Reply Helpful Comment? 1 0
This comment has been rated as unhelpful by Slickdeals users
Joined Nov 2014
L10: Grand Master
16,049 Posts
3,024 Reputation
Pro
#9
Simple solution. The second you get your ebay GC, use it to buy something dirt cheap. Then it's locked to your account and no one can five finger it.

As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Reply Helpful Comment? 0 0

Sign up for a Slickdeals account to remove this ad.

This comment has been rated as unhelpful by Slickdeals users
Joined Dec 2010
L8: Grand Teacher
3,756 Posts
2,050 Reputation
#10
Quote from ghostofposterspast
:
Simple solution. The second you get your ebay GC, use it to buy something dirt cheap. Then it's locked to your account and no one can five finger it.

As to how these things get lifted, I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Doubt that for Paypal, it happened to multiple types of gift cards such as itunes, BB, target etc.
Reply Helpful Comment? 1 0
This comment has been rated as unhelpful by Slickdeals users
Joined Jan 2010
L5: Journeyman
588 Posts
139 Reputation
#11
Quote from agentstryker909
:
I am sitting on a ton of SVM gas gift cards for Circle K, 76, and ConocoPhillips. I haven't had problems using them over the past 6+ months. I wonder if I can convert these gift cards over to new gift cards at the gas stations?
Yup I had a bunch too, various brands so I could "GasBuddy" the cheapest one at any given time. Gonna work through what I have left and that's that. $100 lost wipes out pretty much all the savings from every card I ever bought.
Reply Helpful Comment? 1 0
This comment has been rated as unhelpful by Slickdeals users
Joined Nov 2004
L10: Grand Master
7,555 Posts
1,974 Reputation
#12
Quote from ghostofposterspast
:

I don't think has to do with a server getting hacked and number stolen. I think it's just brute force. There's a pattern to the numbers. They just keep trying numbers until they find one with a balance. The same way people crack passwords.
Paypal gifts had a fail robots.txt file that allowed search engines to index the "here is your PayPal gift card" pages. "Hackers" simply read the GC and email info off the cache of search engines like google. This is for digital GCs obviously.
Reply Helpful Comment? 0 0
Last edited by DeltaMajor156 September 13, 2016 at 04:55 AM.
This comment has been rated as unhelpful by Slickdeals users
Joined Nov 2014
L10: Grand Master
16,049 Posts
3,024 Reputation
Pro
#13
Quote from DeltaMajor156
:
Paypal gifts had a fail robots.txt file that allowed search engines to index the "here is your PayPal gift card" pages. "Hackers" simply read the GC and email info off the cache of search engines like google. This is for digital GCs obviously.
But regardless of the robots.txt, they should have an .htaccess that forbids access to those directories. Since robots.txt or not, anyone can simply browse into those directories and look at the pages.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Nov 2004
L10: Grand Master
7,555 Posts
1,974 Reputation
#14
Quote from ghostofposterspast
:
But regardless of the robots.txt, they should have an .htaccess that forbids access to those directories. Since robots.txt or not, anyone can simply browse into those directories and look at the pages.
Not sure what it all means, just repeating some things I've read recently. What do you make of this?


Code:
https://www.google.com/?gws_rd=ssl#q=site:paypal-gifts.com+Here%27s+your+Gift+Card&filter=0
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Nov 2014
L10: Grand Master
16,049 Posts
3,024 Reputation
Pro
#15
Quote from DeltaMajor156
:
Not sure what it all means, just repeating some things I've read recently. What do you make of this?


Code:
https://www.google.com/?gws_rd=ssl#q=site:paypal-gifts.com+Here%27s+your+Gift+Card&filter=0
A robot.txt file is only a request that spiders/indexers don't index that directory. It's like putting up a no trespassing sign. Just like a no trespassing sign, nothing keeps someone from going in if they choose to ignore it. You need security for that. Either to keep them off your property or to keep them out of your directory. That's what .htaccess does. Do you think a simple no trespassing sign will keep people who would steal codes out? Just because google doesn't index it, doesn't mean it doesn't exist.
Reply Helpful Comment? 0 0
Page 1 of 41
1 2 3 4 5
Join the Conversation
Add a Comment
 
Copyright 1999 - 2018. Slickdeals, LLC. All Rights Reserved. Copyright / Infringement Policy  •  Privacy Policy  •  Terms of Service  •  Acceptable Use Policy (Rules)  •  Interest-Based Ads
Link Copied to Clipboard