It’s panic on Vinted for several days! Following a vast and ferocious hack, hundreds of users saw their kitty siphoned off, then their account blocked. The platform promises to pay them compensation.
In 2023, nearly 23 million French people – i.e. one in three! – use the Vinted platform to buy and sell second-hand clothes, accessories and other items. In just a few years, the Lithuanian business has experienced a meteoric rise. So it didn’t take long before its success attracted bad people! And if the platform is home to many scams – sale of counterfeits, fake profiles, packages never received… – it is also the target of cybercriminals. In effect, The Parisian reports that for several days, hundreds of users have seen their kitty – a virtual wallet that allows members to collect and store money from sales to then buy directly on the site or transfer it to their bank account – disappear overnight, some containing 800 or 900 euros! Marianne Leleu, a Vinted employee for eight years who is in charge of hacks, has seen the number of testimonials explode on the Instagram account she runs. “The modus operandi existed, but it was not as massive. For two days, it’s downright a network that has been organized, with victims in Spain and Italy”, she worries. For its part, Vinted confirmed to AFP that it had recently blocked access to the accounts of several of its members, due to an incident in which fraudulent access was observed.
Vinted scam: targeted user pools
The targeted accounts are not chosen at random: the hackers have scouted and selected them according to the sums available on the wallets. Once the account identifiers were in hand, the procedure was very easy: all they had to do was change the password and the associated RIB in order to transfer the kitty to their own bank account. Some of the victims have received SMS, e-mails or calls informing them that a change of contact details was in progress on their account. However, they did not react, thinking it was a scam or a phishing attempt. Anyway, it was already too late because the hackers had already taken control of their account. Other users simply saw nothing coming since the hackers only changed the RIB associated with the account, which does not require any approval by email or SMS, to recover the money later. To prevent the victims from reacting by changing the hacked password and deleting the RIB, they even went so far as to publish pornographic content on their profile, so that their account would be automatically blocked once the money was embezzled! What elegance !
Vinted confirmed the incident and said it blocked the accounts of several members, but did not provide further details. However, the company made it clear that “the connection information used (usernames, passwords, etc.) was obtained from data consulted elsewhere outside the platform and not linked to Vinted”. Clearly, the thieves would have recovered the data during a previous hack – it is very easily found for sale on Dark Web forums – and used the stolen email address and password combination to connect to the accounts and empty them. “Additionally, we can confirm that credit card details are not fully visible when accessing the account”, she justifies herself. Because in addition to the jackpots, hackers have also managed to recover the bank details of certain members. According to the survey of Parisianthe stolen money would have been sent to Germany, Ireland or Luxembourg.
Vinted claims to make every effort to “restore access” of these users “on their own account” And “advise them to ensure the security of their account and their identifiers”. Moreover, theare victims “will be eligible for compensation in the event of money lost on their Vinted wallet”, without however specifying the number of members affected or assessing the damage suffered. Also, it is better to avoid keeping too much money in your kitty, change your password as well as that of your other accounts if they are ever the same. Finally, it is better to carefully monitor the movements of your bank accounts in the coming months.