eBay Account Hacked

Last month right before our trip to Mexico City, I got a text message saying my PayPal account had a $11k charge and asking me if it was my authorization. I immediately replied no and verified that was a legit message from PayPal. We went onto the trip and I didn’t think of this matter in the next few days.

A week later, I noticed our checking account had a $11k withdraw from PayPal! WTF?! I called the bank immediately. They said the only thing they could do was to close my checking account and open a new one, and suggested me to contact PayPal first. Hence my month-long wrestling with PayPal began.

Before I go on to lay out my experiences with PayPal, I’ll list findings from our forensic checks of how the orders were placed without our knowledge. The result was very shocking to me.

  • My checking account was charged because it was linked to my PayPal account.
  • When the 11k charge happened, I got hundreds of spam emails within a few hours. Gmail blocked most of them but still more than 100 showed up in my inbox. Apparently hackers tried to overwhelm my inbox so I miss any alert emails.
  • My PayPal account was linked to Wen’s eBay account before.
  • Wen’s PayPal account was also linked to Wen’s eBay account, and also had 4 unauthorized charges since Aug 2023, total ~8k$. ~$4k was charged to our credit card reward points(!), which was very sneaky as reward point transactions have way less notifications and checks than usual credit card charges. The other ~$4k was charged to someone else’s card that hacker added to Wen’s PayPal.
  • Wen’s eBay account was hacked and all the orders were placed there. The orders were “hided” in eBay (not sure why eBay even has such a function…) so it was harder to notice at first. Wen’s eBay account didn’t have 2FA enabled before this. So it was a weak link. At first I thought this was the “entrance” the hacker found.
  • But a few days later I found Wen’s gmail was also hacked… there was a filter created in gmail to delete all emails with the words “eBay” or “PayPal”. This was why we didn’t notice any of the hack orders. Wen’s gmail apparently didn’t have 2FA enabled until Nov 2022. But she did place some order in Aug 2023 and received the emails. So the filter was created within Aug 2023, after her last legit order and before the first hack order.
  • eBay support said the hacked orders were placed from our home IP.
  • Wen’s Google account sessions don’t have devices or locations we don’t recognize.
  • Hacker’s “entrance” was likely one of Wen’s devices that has her gmail account logged in, and/or eBay logged in.
  • But at the end, I couldn’t confirm which device was hacked or how exactly the hacker took control of Wen’s accounts.

In the past few weeks I files several tickets with PayPal and had numerous calls with their support. The resolutions were really inconsistent and not transparent at all.

  • For the 11k charge on my PayPal account, I filed a ticket and claimed it was an unauthorized charge. I supposed it would be an easy case, as I replied the text message immediately and told PayPal it was unauthorized when the charge happened. But I got turned around several times. The case was denied after a few days. I called support. An agent told me to change it to “item not received”. I waited more days and seller apparently provided shipping confirmations, so the case was denied again. I called the support again to reopen the ticket and I reiterated it was a hack, and the case was denied after another week… I called PayPal support again and filed a new ticket and reiterated the same information again, and it was finally refunded this time…
  • I filed a ticket for the four hacked charges in Wen’s PayPal account as unauthorized access as well. To my surprise, three of them were refunded very quickly. But one smallest charge was left out and not refunded for unexplainable reason… I called PayPal support and one agent said she filed an appeal for me (essentially reopened the ticket). A few days later it came back denied again… I’ll keep argueing with PayPal support.

So in summary:

  • I got ~19k back among the ~20k stolen money (including ~4k on someone else’s stolen card), not too bad…
  • The hacker went away with the goods they bought. The refund I got probably came from either the seller or insurance.
  • I still don’t know exactly how the accounts were hacked…
Categorized as blog


上周二(Nov 14)在办公室正开着会,手机接二连三的收到短信。一看之下吃了一惊,我刚离开不久的B司大裁员了。说是要裁1/4的员工。最让我震惊的是Flux的人全都被裁了。Flux的产品虽然近半年来确实没几个客户在用,但是有一个大客户在做集成。一下子把人全都裁掉看起来是要砍掉这个产品的势头,不知道如何跟那个客户公司交代。但我又听说这事并没有通知到那个客户那里,唯一一个和客户直接对接的人没有被裁,难道要上演一番空城计?无论怎样,不再是我的问题了,哈哈。



周四本来B司纽约办公室的几个人还约了一个happy hour,于是临时变成了after-shock rant session。大家一番推测到底这事发生之前谁知道谁不知道,感觉知道的人还是比较少的,一两周之前还在各种开会讨论计划什么的。干活的人基本上都不知道。但某高层,aka.我前老板,很明显是知道的,还来纽约组织会议,就有些过假了。比较让我惊讶的一点是他在跟Flux的eng lead裁员talk的时候说裁整个Flux是他自己的决定,我有种不知道他这是要背锅还是要忏悔的感觉。



我想了一阵这个裁员和Flux最近纷纷走人的因果关系。从八月到十月Flux的几个骨干依次离职,Product VP,Customer Service VP,我,Yue。我的猜测是B司裁员这个事情在我走之前就决定了,今年的数字一直不太好看,裁员这种事从计划到施行也差不多需要至少两个月。但我有点怀疑这一番走人导致了具体裁的人倾向了Flux这边。Anyway,焉知非福。

Categorized as blog

Guadalupe Mountains

新公司正式开张之前自然是要去玩一下的,毕竟接下来几个月可能会很忙。这次的主要目的地是德州最西边的Guadalupe Mountains国家公园,一方面是想找个温暖干燥的地方睡睡帐篷走走空无一人的山路,重温一下和EBC完全相反的爬山体验;另一方面也是为了在我的国家公园访问列表上喜加一。

Categorized as blog

Reflections on the Tech Stack of Flux

In the early days of Flux, I often sent a link to our tech stack to candidates. In my mind, a big draw of working at a startup is the freedom to assemble a tech stack from the beginning, experiment with it, and learn from the experiences. Now is my time to say goodbye to the stack and write some thoughts.

Background: Flux is an HR Tech startup with six engineers for the first three years, acquired by Beamery in 2021, and grew to 16 engineers in 2022. The product consists of a web application and a recommender system (matching engine).

Categorized as blog



Categorized as blog