Cybercrooks target hundreds of Vinted second-hand fashion store shoppers. How can you limit the damage?

Customers of the online second-hand fashion store Vinted have been reporting stolen funds and fraudulent activity on their accounts in the past couple of weeks.

What is Vinted?

Vinted is a Lithuania-based clothing exchange marketplace where users can sell second-hand apparel and accessories. The platform has grown tremendously since its launch in 2008, with a current active user base of 45 million active in Spain, France, Luxembourg, Belgium, the Netherlands, Germany, Austria, the Czech Republic, Poland, Portugal, Lithuania, the UK, Italy, the US and Canada.

Hundreds of users report hacked accounts and stolen funds

Like many successful online marketplaces and platforms, Vinted is not immune to scams. The platform has attracted many scammers who sell phony high-end apparel, plus people with fake profiles who never commit to their buyers.

In the past two weeks, however, customers in France, Italy and Spain have been flocking to the Vinted forum and social media platforms to report losses of thousands of euros. Hundreds of victims have called on the platform for help retrieving stolen funds.

"I just noticed that my Vinted wallet was empty when I had 160 euros on it," one user said.

“They hacked me almost 800 euros, what can I do? Asked another. "The 52 euros I had on my account were transferred to the fraudster's account… It's a paltry sum compared to some victims when I see the comments… But a lot for me", another explained.

French daily newspaper Le Parisien notes that user testimonies have been surging on an Instagram account run by a former Vinted employee in charge of resolving hacked accounts on the platform.

“It goes from 100 euros at least up to 800, 900 euros (...), there are a lot of users, we are talking about several hundred accounts concerned ", she said.

"The modus operandi existed, but it was not as massive. For the past two days, it's downright a network that has been organized, with victims in Spain and Italy," she stressed.

How scammers target their victims

According to reports, the attacks against users’ digital wallets are not random. Cybercrooks have been diligent in hand-picking victims based on their e-wallet balances. Once the hackers identify a promising account, they begin their attack.

Some victims reported receiving an SMS, email or call informing them that a request to change their contact details is in progress. The users were asked to provide identifiers that allowed attackers to take over the accounts and change the associated bank account (IBAN or RIB) to transfer funds in another account belonging to the thief.

Other users did not fall for a phishing attempt. Fraudsters managed to take control of their accounts (possibly via a successful credential-stuffing attack), changing the account number and publishing pornographic material on the user profile, automatically blocking the account. Before posting banned content, the attackers managed to fraudulently transfer the money and delete their RIB.

Le Parisien's investigation has tracked the stolen money to bank accounts in Germany, Ireland and Luxembourg.

Vinted says it will reimburse victims

The second-hand clothing exchange site has confirmed the hack, emphasizing that the hackers did not breach the Vinted platform to gain access to the usernames and passwords of victims and that credit card details are not fully visible when accessing accounts.

“The connection information used (usernames, passwords, etc.) was obtained from data consulted elsewhere outside the platform and not linked to Vinted," the company explained.

The platform is in the process of restoring access to members who’ve been locked out. Vinted has not provided additional comments or information on the exact number of individuals who lost their e-wallet balance but claims its users will be eligible for compensation for any stolen funds.

What should victims do?

Recent events should keep any Vinted user on high alert. Make sure you:

• Change any passwords that share the same login credentials with the compromised account
• Monitor your financial accounts and report any suspicious activity
• Scrutinize all unsolicited correspondence via email, text or phone that prompt any immediate such as providing PINs, passwords and credit card numbers
• Install a security solution on your device to help fend off phishing and other malicious attacks
• Use a digital identity protection service to alert you whenever your personal data ends up on the dark web and help you lock any privacy or security issues on existing online accounts

Bitdefender Digital Identity Protection only needs your email address and phone number to check for any data breaches and leaks that contain exposed personal information and other key information linked to the digital you.

Becoming a member of the digital identity community will bring you:

• Instant mapping of your digital identity
• Your breach history containing a full list of organizations that revealed your details and what type of personal information was exposed
• Alerts when you are involved in a new breach
• Continuous monitoring of your personal data (email, passwords, credit cards)
• Recommended steps to take for each of your accounts exposed in a data breach