Credential-Stuffing Account Fraud on eBay
Criminals feed username-password combinations from unrelated data breaches into eBay's login page, seizing accounts where the victim reused passwords, then listing fraudulent items, redirecting payouts, or committing purchase fraud.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
eBay accounts hold payment details, shipping addresses, and seller reputations built over years. When a credential-stuffing attack succeeds — an automated tool testing billions of leaked email-and-password pairs against eBay's login — the attacker inherits all of that in seconds.
eBay itself has not necessarily been breached when this happens. The victim's email and password were leaked from a completely different service — a gaming site, a food-delivery app, a hotel loyalty programme — and reused on eBay. The attacker simply tests the combination and logs straight in.
Once inside, fraudsters use the trusted seller account to list high-value items at attractive prices, collect payment from buyers, and disappear. Buyers lose money and the legitimate account holder faces disputes, negative feedback, and potential account suspension — even though they were the victim.
How this scam works on the eBay brand
Automated tools called credential-stuffing frameworks test leaked login pairs against eBay at high speed, sometimes through residential proxy networks to avoid IP-based rate-limiting. A successful login triggers a session takeover: the attacker changes the recovery email and phone number to lock the real owner out, then redirects pending seller payouts to a mule bank account.
With access secured, the criminal creates fraudulent listings for popular goods — electronics, designer clothing, concert tickets — at just-below-market prices to attract buyers quickly. Payments arrive via eBay's checkout but are routed to the hijacked payout account. Buyers receive nothing, or receive counterfeit goods.
Some attackers use compromised buyer accounts to purchase from genuine sellers and then initiate false 'item not received' disputes through eBay's Money Back Guarantee, effectively extracting refunds on items that were legitimately delivered.
Common red flags
- You receive an eBay login alert or two-factor prompt that you did not trigger
- Your eBay account shows active listings you did not create, or your payout bank account has been changed
- Buyers or eBay contact you about disputes for transactions you never made
- Your account email or phone number has been changed without your knowledge
- You attempt to log in and find your password no longer works, indicating an account takeover is already underway
- You receive emails from eBay about account activity from unfamiliar device types or IP locations
How to protect yourself
- Use a unique, strong password for eBay that is not shared with any other service — use a password manager
- Enable two-factor authentication on your eBay account (Account Settings > Sign In and Security)
- Check whether your email address appears in known breaches at haveibeenpwned.com and change any reused passwords immediately
- Review your eBay account's saved payment methods and payout bank details regularly for unauthorised changes
- Set up login notifications in eBay's account security settings so you are alerted to any new-device sign-ins
- Use a dedicated email address for your eBay account that is not widely shared or exposed online
How to report it
- Report the account takeover to eBay immediately at ebay.com/help or by calling eBay customer service; ask them to freeze the account and reverse fraudulent listing activity
- Report to the FTC at reportfraud.ftc.gov and the FBI at ic3.gov if financial loss occurred
- If your payout bank account was changed, contact your bank to alert them to potential fraudulent transfers
- Forward any phishing emails that may have preceded the takeover to [email protected]
Frequently asked questions
Does credential stuffing mean eBay was hacked?
Not necessarily. Credential stuffing uses passwords leaked from other sites. If you reused a password across multiple accounts, attackers can access eBay without eBay itself being breached.
I am a buyer and received nothing from a seller. What do I do?
Open a case through eBay's Resolution Centre immediately. If the transaction is within eBay's Money Back Guarantee window and you paid via eBay checkout, you are entitled to a full refund.
How do I recover a hijacked eBay account?
Go to ebay.com/help and use the 'I can't sign in' option to trigger an account recovery process. eBay can verify your identity and restore access. Act quickly to minimise fraudulent listing activity.