eBay responded to claims of a breach of security at its PayPal payments unit in a report that was published in a blog post by a former Google software engineer. Naoki Hiroshima published the post, “My $50,000 Twitter Username Was Stolen Thanks to PayPal and GoDaddy,” saying a scammer used social engineering techniques to get PayPal and GoDaddy employees to release information that helped the scammer hijack his account.
Hiroshima said in his post that the scammer revealed some of the methods used to take over the account, including this claim from the scammer: “I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone).”
In a post on Wednesday published on both the PayPal and eBay blogs, eBay denied that allegation. In the denial, the companies said an investigation of the incident revealed the following:
- We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal.
- PayPal did not divulge any credit card details related to this account.
- PayPal did not divulge any personal or financial information related to this account.
- This individual’s PayPal account was not compromised.
eBay said PayPal’s customer service agents were well trained to prevent social hacking attempts like the ones detailed in Hiroshima’s blog post and said it was reaching out to him to see if it could be of assistance.
“We work constantly to ensure that PayPal’s validation and security processes are amongst the best in the industry and encourage our customers to be aware of the simple steps they can take to help prevent these types of crimes. You will find helpful information and tips on our Security Center.”
In the meantime, GoDaddy released a statement about its role in the incident.
“Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”
You can read Hiroshima’s descripton of the hacking incident on Medium.com.