UPDATE: It has been discovered that the security flaw has actually existed since February. The number of ads identified has rose from 4 ads from 4 different eBay accounts to hundreds across multiple accounts overnight. Details show that the issue was identified and reported by multiple users in February however eBay has done nothing to combat this issue until now. Items listed include smartphones, digital cameras, clothes and household items.
Wednesday night was not only the release of Apple’s iOS 8, but also the night that eBay discovered spoof ads on their network which attempted to steal buyer credentials through diverted pages which linked to a fake page replication the eBay marketplace welcome page. From here a user is asked to sign in, exploiting their login credentials.
Despite being made aware of the hack on the night, eBay only removed these spoof ads following a call from the BBC over 12 hours later. Considering the number of security incident with eBay this year alone, it is very surprising that a 24/7 response team is not already in place to resolve issues like these promptly before users are affected.
The initial user who discovered the compromised page only noticed due to an unusual web address that they were linked to, suggesting that anyone with limited tech knowledge would have been fooled, not knowing any different. This being said, we can probably guarantee that many a user has fallen to the bait, meaning someone out there somewhere will have virtually full access to buyer accounts.
The account that initially posted the malicious ads only had 3 posts, however there is nothing stopping them from using the accounts accessed to spread this compromise further across the web, giving them access to even more user finance details.