More than one in three French people utilize this website. 23 million people use Vinted, a platform for selling used clothing. Trades every second and a secretive turnover that will surpass one billion euros in 2019. The sudden wealth has clearly piqued the interest of cybercriminals. Since a few days ago, online hackers have stolen from the accounts of hundreds (at least) of users, and the number of victim testimonies is growing.
In the last few hours, a fraud has been described in hundreds of messages on the forum of the site for second-hand clothes sales alone. Call the website for assistance. A user expresses regret: “I just realized that my Vinted wallet was empty when I had 160 euros on it.” “They stole approximately 800 euros from me, what can I do?” Maeva enquires. “The 52 euros that were in my account were moved to the fraudster’s account… When I read the comments, I realize how little it is in comparison to some victims. But a lot for me,” Camille is also moved.
The harm could be really severe. Marianne Leleu, a Vinted employee of eight years who is specifically in charge of piracy, witnessed the explosion of testimony on her 88,500-followed “Les nuggets of Vinted” Instagram account. Tuesday, I had already gotten a dozen notifications. I received 200 messages overnight, and the following morning… Although it wasn’t as widespread, this mode of operation did exist. It has been an organized network over the previous two days, including victims in Spain and Italy, which “frightens the person who warned her community.”
Money transferred to Germany, Ireland or Luxembourg
What steps are involved? A four-digit code is provided to users through SMS or phone call in order to update their contact information on Vinted. “An SMS that I deleted since we get fake ones. Then I received a call, picked up, and the voicemail contained the same information. Vanessa, an Aix-en-Provence medical secretary who will have 203 euros stolen from her wallet, says, “I hung up, like all the commercial calls we get.
Next, some of the victims are recipients of an email informing the change of their coordinates. Once the cybercriminals have taken over their account and profited from their sales, it is already too late.
However, the alteration of a password or name is not routine. According to Marianne Leleu, “We have testimonies from victims who were unable to observe anything and for whom the crooks just altered the bank details and patiently awaited the users’ transfer.” Our research indicates that there is no confirmation code needed to transfer money to an external account.
picture of a Vinted hacker email.
Worst still, some thieves even upload pornographic information on the account, causing it to be automatically restricted once the money has been embezzled, in an effort to stop victims from responding by changing the compromised password and erasing the perpetrators’ RIB whenever it is possible.
This Thursday evening, the Vinted platform, with the Parisian, acknowledges, “We recently stopped access to the accounts of numerous of our members owing to an incident during which fraudulent access to these accounts was noticed.”
data gathered away from the platform?
The website guarantees that “the connection information used (usernames, passwords, etc.) was obtained from of data consulted elsewhere outside the platform and not linked to Vinted,” adding that it is “already in contact with the members concerned in order to support them in restoring access to their accounts.” It is obvious that the thieves would have obtained this information through a prior Internet hack and connected to the accounts that would be compromised on the used platform using the stolen email address and password.
These compromised accounts don’t appear to have been picked at random. “We observe that they recognize and behave in accordance with the amounts present in the portfolios. They appear to have access to the pseudonym and the available funds, but because the fraud takes time, they do not concentrate on tiny accounts, says Marianne Leleu, who is concerned about “code aces.”
“I had just received 530 euros for a branded purse.”
If there is any evidence, it shows that hackers are aware of the internal processes for making an account closed. “Since Thursday, the mine has been blocked. On Vinted, I no longer feel secure. I recently sold a luxury bag that I had kept in my digital wallet for 530 euros. Leyla, a 35-year-old project manager in finance, continues, “I also objected using my bank card.
Screenshot of a compromised user’s email on Vinted.
The money was transferred to Germany, Luxembourg, or Ireland, as shown in the screenshots that the victims were able to offer us, where we can also see the account’s initials in letters and digits. Before probably being transferred from account to account in an effort to evade the investigators’ tracing. The victims must still report themselves, though. The Internet users contacted find this confusing and lament the lack of supporting documentation. Vanessa regrets, “I have nothing tangible to provide the police, so it’s difficult to file a complaint.”
These skilled and voracious cybercriminals are not satisfied with emptying the victims’ Vinted kitty. Some even go as far as using the customer’s account-registered bank cards to make purchases when their security is weak. Aurélie, 42, a self-employed woman in Seine-et-Marne, assures us, “I alerted all my acquaintances, they withdrew their bank cards and emptied their kitties. I too saw my kitty liquidated.
The Lithuanian enterprise is also under threat from a wave of hysteria that could cause users to withdraw their cats in large numbers. It now shows a unique notice when its customers want to withdraw their money: “Transfers to a bank account may take longer than usual.” In addition to barring all accounts with suspicious reports. We apologize for the disruption. Vinted has already discussed the victims’ compensation with Le Parisien, “in the event of money lost on their wallet.”