Update 2: The Admins addressed the issue and fixed it. Details at the bottom of the post.
Updated: The Current suspicion is that a former moderator on the site who got fired for abusing his position, used some extra admin account to try and scam, some say it was confirmed that the BTC address in the listing is linked to him, we are checking this. still waiting for an official statement from the market admins.
In there last 24 hours we have been following quite a few reports about vendor account being hacked in pandora and listing changes with a change asking to send BTC directly to some random BTC address:
HELLO,
I NOTICED THIS TEXT AT ALL MY LISTED ITEMS ON PANDORA.:
Due to recent issues on Pandora we are requring our customers to deposit directly to our bitcoin address. To make an order with us please send payment to 13UpJnKT9qKfmsYCForGtPYSVoM1PnAEZ7 After you have made payment on your order please message what item you ordered and PGP the shipping address so we can ship your item promptly. Thank you for shopping with us. Current shipping time: (1 day after payment is posted)
WE NEVER EVER PUT THIS TEXT AT ALL OUR LISTED ITEMS!!!!
I NOTICE THAT THE PRICE OF THE ITEM CHANGED TO. TO BE CLEAR, THIS TEXT ABOVE WITH THE BTC ADDRESS IS NOT OURS!!!!! I DONT KNOW HOW THIS IS CHANGED AS NOBODY HAS OUR PASSWORD!!!!!!!
SOMEONE TRY TO SCAM US. THE STRAING THING OF THIS, IS THAT OUR BTC IN THE ACCOUNT NOT STOLEN.DutchDeal.
Hey guys, seems like our vendor acc gets hacked by someone.
Please take a look at our listings, all our listings text is changed to this text…
Due to recent issues on Pandora we are requring our customers to deposit directly to our bitcoin address. To make an order with us please
send payment to 13UpJnKT9qKfmsYCForGtPYSVoM1PnAEZ7 After you have made payment on your order please message what item you ordered and PGP
the shipping address so we can ship your item promptly. Thank you for shopping with us. Current shipping time: (1 day after payment is
posted)Also many prices of our listing where dropped down!
Please alice, take a look at it, until this is cleared up we will not vend here anymore!!!!!!!!!!!!!!!
Our listings pages have been hacked also!!!!
This is true.. So far only my product listings seem to have been altered. My profile page seems to be untouched.. As well as the bitcoins in my account have not been tampered with… I have withdrawn all Coins with no problems.. I have also changed my password successfully although I don’t think this is how they got in and altered the listings pages.. If someone would have hacked my password then they would have access to withdrawl my coins and this is not the case. I am still looking into anything else that I see and will update shortly..
I hope that none of my customers have fallen for this bullshit trick and sent some coins to these crook’s wallet. I know that karma will eventually fuck this guy in his ass.
It was also reported on Reddit:
It seem that the site database was somehow compromised, and it wasn’t the vendors accounts themselves who got hacked (due to some phishing), as one of the vendors reported:
“So far ONLY my product listings seem to have been altered. My profile page seems to be untouched.. As well as the bitcoins in my account have not been tampered with… I have withdrawn all Coins with no problems.. I have also changed my password successfully although I don’t think this is how they got in and altered the listings pages.. If someone would have hacked my password then they would have access to withdrawal my coins and this is not the case. I am still looking into anything else that I see and will update shortly but in the meanwhile please note….
1) ONLY MY LISTINGS AND PRICES HAVE BEEN ALTERED.
2) ALL CURRENT ORDERS ARE SAFE AND ESCROW IS WORKING ACCORDINGLY.
3) ALL CUSTOMER BITCOINS ARE SECURE AND STILL IN ESCROW.
4) I HAVE NOTIFIED SUPPORT AND THEY ARE LOOKING INTO FIXING THIS NOW.
I hope that none of my customers have fallen for this bullshit trick and sent someone coins by mistake. I know that karma will eventually get this guy and fuck him in his ass.”
Later Some user came to the forum stating he hacked the above accounts and asking to get BTC to the same BTC address showing the hacked account (he also posted some other information that doesnt seem very reliable):
When looking at the site we were current unable to find any example for these hacked listings.
it is highly advised to check the forums as make sure this issue is resolved or at least some official statement is made from the admin before using the marketplace or sending more money.
Update, this is the comment from the admin, after the issue was fixed:
My “official” comment on that serious issue:
Issue report reached me at: 09:26:36 am
Ussue Fixed: 10:02:00 am
Technical explanation (my most probable theory):
1) Most probably, attacker were able to compose $_POST request for changing item info.
2) There was bug in pandora code, that don`t confirm item ownership, so attacker were able to change any item (this require higher technical experienced attacker).
3) That was very rare coding mistake, pandora is very secure, but i forget implement ownership check ONLY on that edit item issue.
4) Will go thru code, if every single action have enough security check.
5) Sorry for that / just human, every code have bugs.
6) attacker profile: mid-higher experienced attacker
What should have been affected:
1) Any item listed on pandora should have been affected by that, that include (limited to listed item option):
1.1.) Item description (most cases)
1.2) Item price
1.3) Item quantity
1.4) Shipping info on item
1.5) Maybe more within item details
What WERE NOT affected by this issue (problem with item edit only):
1) Vendor password
2) Vendor orders
3) Vendor escrow/account balance
4) Withdrawals
5) Pandora database
Possible losses:
1) Only possible losses are from customer, who were conned by attacker to actually send amount to advertised address.
2) Due to blockchain fortunately “only” ~1.2 BTC (at time of this post) was conned from customers. (https://blockchain.info/address/13UpJnKT9qKfmsYCForGtPYSVoM1PnAEZ7)
FIXES NEEDED:
1) All vendors must check item description, prices on all items, if they are correct
2) I will update description to BLANK page, on all items where description contain attacker address.
LIST OF AFFECTED VENDORS AND ITEMS:
VENDOR NAME | ITEM HASH.
+——————+———————————-+
| bodyinaction | 0aa33686753efc1a287595254cd99e2c |
| bodyinaction | 7997b33fdaf23b7d93d413cd20285e81 |
| bodyinaction | 0904ae9ee3b1b06e436495379d3dad46 |
| bodyinaction | 0109b0ce8d028b49bc309b6c5726072b |
| BudCentral | fc4f943eebdbb8b304214e5126de6c72 |
| BudCentral | fb511eb14f45d2953d5d838d909fc5ae |
| BudCentral | ec61f8ef404a57e7631bebd449035c2e |
| BudCentral | fce6bf73e498c3e0dbeda369255d8dba |
……… The list continues (see on Pandora’s forum)