Customers of the online second-hand fashion store Vinted have been reporting stolen funds and fraudulent activity on their accounts in the past couple of weeks.
Vinted is a Lithuania-based clothing exchange marketplace where users can sell second-hand apparel and accessories. The platform has grown tremendously since its launch in 2008, with a current active user base of 45 million active in Spain, France, Luxembourg, Belgium, the Netherlands, Germany, Austria, the Czech Republic, Poland, Portugal, Lithuania, the UK, Italy, the US and Canada.
Like many successful online marketplaces and platforms, Vinted is not immune to scams. The platform has attracted many scammers who sell phony high-end apparel, plus people with fake profiles who never commit to their buyers.
In the past two weeks, however, customers in France, Italy and Spain have been flocking to the Vinted forum and social media platforms to report losses of thousands of euros. Hundreds of victims have called on the platform for help retrieving stolen funds.
"I just noticed that my Vinted wallet was empty when I had 160 euros on it," one user said.
“They hacked me almost 800 euros, what can I do? Asked another. "The 52 euros I had on my account were transferred to the fraudster's account… It's a paltry sum compared to some victims when I see the comments… But a lot for me", another explained.
French daily newspaper Le Parisien notes that user testimonies have been surging on an Instagram account run by a former Vinted employee in charge of resolving hacked accounts on the platform.
“It goes from 100 euros at least up to 800, 900 euros (...), there are a lot of users, we are talking about several hundred accounts concerned ", she said.
"The modus operandi existed, but it was not as massive. For the past two days, it's downright a network that has been organized, with victims in Spain and Italy," she stressed.
According to reports, the attacks against users’ digital wallets are not random. Cybercrooks have been diligent in hand-picking victims based on their e-wallet balances. Once the hackers identify a promising account, they begin their attack.
Some victims reported receiving an SMS, email or call informing them that a request to change their contact details is in progress. The users were asked to provide identifiers that allowed attackers to take over the accounts and change the associated bank account (IBAN or RIB) to transfer funds in another account belonging to the thief.
Other users did not fall for a phishing attempt. Fraudsters managed to take control of their accounts (possibly via a successful credential-stuffing attack), changing the account number and publishing pornographic material on the user profile, automatically blocking the account. Before posting banned content, the attackers managed to fraudulently transfer the money and delete their RIB.
Le Parisien's investigation has tracked the stolen money to bank accounts in Germany, Ireland and Luxembourg.
The second-hand clothing exchange site has confirmed the hack, emphasizing that the hackers did not breach the Vinted platform to gain access to the usernames and passwords of victims and that credit card details are not fully visible when accessing accounts.
“The connection information used (usernames, passwords, etc.) was obtained from data consulted elsewhere outside the platform and not linked to Vinted," the company explained.
The platform is in the process of restoring access to members who’ve been locked out. Vinted has not provided additional comments or information on the exact number of individuals who lost their e-wallet balance but claims its users will be eligible for compensation for any stolen funds.
Recent events should keep any Vinted user on high alert. Make sure you:
Bitdefender Digital Identity Protection only needs your email address and phone number to check for any data breaches and leaks that contain exposed personal information and other key information linked to the digital you.
Becoming a member of the digital identity community will bring you: