Mystery: Hacked on Gumtree??

[cairene2011]

Gumtree is the UK version of Craigslist.

A few weeks ago, I listed a desk, a rug and a handbag there. I only ever checked my listings on my personal iPad and on my Macbook at home in my own password-protected Wifi. I also recently changed my Gumtree password, because I change all of them (eBay, Paypal, etc) bi-monthly.
Today, I keep getting phone calls since the early morning of people asking for the Golf I listed. I'm like what the heck - I don't have a car, I cannot even drive!! I check my Gumtree account and among my active listings there is a listing for a black VW Golf - that I never wrote - because again, I don't have a car.

I deleted it right away, which was stupid, because I should have at least screenshot it to get some clues to who this person is, but I just panicked and couldn't think beyond "OMG I WAS HACKED!!!111one". Now, after I had a cup of tea and changed my passwords again, I'm trying to wrap my head around three things:

1) Was this a genuine technical hiccup where someone's ad showed up on my account? Is that even likely?

2) If it wasn't and someone hacked into my account - then why? There is no way for them to gain something from me in such a "scam"? I mean, the potential customers are calling me because only my phone number shows up next to the listing, I tell them "nope, sorry, I don't have a car" ... no money ever gets transferred... I don't see how such a scam could possibly work for the scammer?

3) If someone hacked me? How? Did they only hack that Gumtree account? How? I never left it logged in on a public computer or public wifi. Or is this a much bigger issue of someone hacking into my computer? (which would explain the "how did they get on my Gumtree?", since my Gumtree password was saved in my Mac's keychain) How did they hack into my computer though? My Wifi is secure and I looked just now into my Router's menu to check what devices have all been connected to my Wifi in the past few months and they are all mine.

This is just so weird, I don't get it.



EDIT: I was just looking through yesterday's emails and lo and behold, there is the confirmation email for posting the car ad, that I never posted.
????

 

[GGJstudios]

1) Was this a genuine technical hiccup where someone's ad showed up on my account? Is that even likely?

This is very likely and may be the most probable cause.

2) If it wasn't and someone hacked into my account - then why?

If someone did hack your Gumtree account, people usually do such things to gain access to your personal and financial information.

3) If someone hacked me? How? Did they only hack that Gumtree account?

Hacking passwords for online accounts is relatively simple in most cases, because most people don't have long or complex passwords. I would change your passwords for all your email and online accounts, making sure that they are long and complex, with upper and lowercase letters, numbers and special characters.

Or is this a much bigger issue of someone hacking into my computer? (which would explain the "how did they get on my Gumtree?", since my Gumtree password was saved in my Mac's keychain) How did they hack into my computer though?

It is extremely unlikely your computer was hacked. In 7 years of reading "my Mac was hacked!" claims in this forum and others, not a single one ever was. Most individuals have nothing of value to a hacker. Why hack a single computer to get a couple credit card numbers, when you can hack a business and get many thousands? Hacking your email account or Gumtree account can happen, even if you don't own a computer.

 

[cairene2011]

If someone did hack your Gumtree account, people usually do such things to gain access to your personal and financial information.

I think that would make sense on eBay or Amazon, but the beauty of Gumtree is the fact that you ask for cash payments (and won't have succumb to paypal fees) ... so there is no detailed personal or financial information that could be spied upon.

But I'm really glad you think it was just a technical hiccup! My passwords are usually very long (I make up a long, memorable sentence and then take the first letter of every word - works great) and get changed frequently, so I hope I'm good after I have changed all of them again.

 

[GGJstudios]

But I'm really glad you think it was just a technical hiccup! My passwords are usually very long (I make up a long, memorable sentence and then take the first letter of every word - works great ) and get changed frequently, so I hope I'm good after I have changed all of them again.

Be sure you're including upper and lowercase, as well as numbers and special characters.

 

[cairene2011]

Be sure you're including upper and lowercase, as well as numbers and special characters.

Yes, of course. Most websites I use don't even allow passwords anymore that don't include a number and an upper case.

 

[a.guillermo]

Well, if someone DID hack you, they kinda wasted their time with pretty non-lethal attack. It was probably a technological glitch.

 

[cairene2011]

I just wanted to update that I was indeed hacked. A few weeks ago, I attempted to list my camera and strangely, no matter how often I listed it, the listing always immediately disappeared from the site. This was my first listing since that mysterious car incident, so obviously I hadn't noticed anything earlier. So I wrote Gumtree and asked what on Earth was going on, they replied and said that they had placed a ban on my account since their record indicates that it has been compromised in the past. We quickly traced it back to an email I received many months ago, from "Gumtree support" which provided a link to login. Of course, that was a phishing email and I was dumb enough to click the link and login. I even remember distinctly being annoyed at Gumtree, since the "login" didn't work and didn't redirect me to my account. Oh boy, am I stupid. I suppose I didn't expect a phishing attack since on Gumtree you pay in cash on collection and ergo have no payment details saved anywhere.

Anyway, the Gumtree person who helped me to restore my account, told me that the point of these phishing attacks is, to get control over accounts that have a long positive history on the site (ie on my account it says "Julia is posting for 2+ years"), then the scammer lists ie the car that showed up on my account, it's in reality a piece of junk, but since my account looks trustworthy more innocent people are inclined to check it out/trust the seller. Also if the buyers later realise that they were sold a piece of junk and go to court, it would be my account (me) liable despite never having seen or owned this car.

I just wanted to update, so that others are warned. Probably no one else falls into this phishing email trap, but honestly it didn't occur to me that this could happen with an "undesirable" Gumtree account since no payment info is stored there. Now that I understand that there is indeed a lot to gain for a scammer, I certainly feel like the biggest idiot.

 

[GGJstudios]

I just wanted to update that I was indeed hacked.

No, you weren't hacked.

Of course, that was a phishing email and I was dumb enough to click the link and login.

Voluntarily giving your login and password information to a phishing scam because you were duped is not the same as hacking. Yes, your information was compromised, due to your own actions. No, you were not hacked.

 

[cairene2011]

No, you weren't hacked.

Voluntarily giving your login and password information to a phishing scam because you were duped is not the same as hacking. Yes, your information was compromised, due to your own actions. No, you were not hacked.

Oh okay, I apologize for not being so good with terminology. English is not my mother tongue and as you can see, I'm also not very computer-literate. Apologies again, I only meant to update to warn others, not to claim something untrue or start a fight!

PS: I never denied my responsibility for what had happened - if you read my post, I keep repeating that I was very stupid to fall for this scam. Your answer sounds like you are setting me straight because I don't accept responsibility, which is not the case. It's all my fault and I was very stupid. I thought that the word "hacking" means any malicious use of other people's accounts, this is why I used the term. I know better now. Apologies again

 

[bgd]

They didn't do a very good job, they should have changed your phone number.