[ph03n!x]

From around 20th Nov itself I have been getting mails from Flipkart notifying me of a new device that has logged in to my account. I have two phones, a personal laptop and a desktop, a work laptop, my wife has a phone and my kids have a tab and a Chromebook. To make things complicated, my family members too have their logins in my personal desktop and laptop.

So I kept ignoring these mails - coz it could be any of them using one or the other device to login to Flipkart for the first time.

Until now. Until I got a SMS text message saying I have cancelled something that I recently bought, and for sure did not cancel!

The password I use for Flipkart is a very basic, elementary password - one that I know has been leaked/ hacked (through haveibeenpwned, thanks to the Zoomcar data breach). I use the same email ID/ password combo for sites I do not care about, including Flipkart.

I am not a regular user of Flipkart, but do use it when I find something interesting - and usually compare between Amazon/ Flipkart/ Retail store near me before buying big ticket items.

So recently, fellow BHPian @wooka messaged me saying ARMORO storage bags (that you can hang to the Thar's rollcage) was available at a discount - and I grabbed it on Nov 29th, got delivered on the 5th of Dec (thanks bro - damn good, esp. for the price ).

I got a SMS saying I have raised a cancellation for the ARMORO bags, which I certainly did not - and I checked with my family too (They don't stuff like that without asking me, but nevertheless). So I logged into Flipkart, and cancelled the cancellation.

And changed my password to a 20+ character string - yeah, most of my "modern" passwords are like that, and are not repeated. I have a method to the madness...

I do not know what the hackers would achieve by cancelling my recent order, what their modus operandi is - will they call me tomorrow and say they wrongly credited money, and ask me to transfer it to them? Will wait and watch.

I am not too worried, because -

• I do not have any payment methods saved in Flipkart
• The phone number I have in Flipkart is not tied to my bank accounts, work place, or any where sensitive
• I did not have my PAN information

I am worried a bit though because -

• Hackers may have captured the names/ phone number/ addresses of four other people I had shipped/ gifted in the past
• My current address and a past address

I don't care they know these -

• My email ID - thanks to Zoomcar, most hackers have it by now
• My elementary, basic password - I never use it in sites that are even remotely sensitive, and I think Flipkart is the last of them (which I have now changed)

I have informed all four of them to be mindful if someone reaches out to them impersonating me.

In general, here are my takeaways -

• Our phone number has become a lot more than a mode of communication. All banks, workplaces, even some sites like Amazon use it for MFA. I have made it a practice to use a give-away number for all courier, deliveries, etc. and limit the use of the phone number tied to my banks, workplaces, MFA
• Leverage MFA if the site/ service provides that as an option - Amazon, gMail, etc. do, and I have turned that on.
• Don't be lazy. If any service that used in the past has been hacked, change the credentials there, and do the same in places that may have the same credentials
  • Have you bought something in IKEA?
  • Do you have an Apple or Microsoft account?
  • Do you use LinkedIn or YouTube or Facebook or Instagram or the long-dead Google Plus?
  • Have you stayed in a Marriott or Hilton property?
  • Ever had a 500px account?
  • Use Truecaller, Justdial?
  • Do you have an AirTel SIM and login to their app/ web?
  • Do you have an Adobe account?
  • Have you ever flown Cathay Pacific or British?
  • Do you use Uber?
  • Have you flown in to Heathrow?
  • Do you use Reddit or Quora?
  • Do you use Big Basket?
  • Order pizzas from Domino's?
  • Do you rely on the convenience of Dropbox?
  • All of these have been hacked in the past, and any credential/ personal info they may have on you, in all probability, is being groomed in the dark web, gathering more info about you, figuring out how to use it to make a quick buck. And the list includes gMail, eBay, Twitter, Vodafone, Yahoo, AOL, SnapChat, Evernote, Citi, Countrywide... ... ...
• Try not to save payment methods while shopping/ paying online
• Act on any alert that you may get, don't assume (I could have asked my family if they logged in to Flipkart - I didn't coz the usual process is they login, find what they want, add to cart and then tell me to order - remember, no payment method saved!)
• Communicate - when you know you have been pwned, inform those who may be affected to minimize collateral damage
• Last but not the least, keep checking if you have been pwned regularly, and take corrective actions! Browsers like Firefox (maybe others too) have a feature where they can warn you if you credentials are leaked when you use them (they tie-up with haveibeenpwned.com)

Here's the list of breaches that my other, throwaway IDs have been involved in -

Have anyone else experienced this "cancellation" trick with Flipkart, or any other shopping portal? What was your experience? I will update mine here if anyone calls me regarding this!

[MT_Hyderabad]

First thing first, they cancelled to find out if the money was paid through a gift card. Once it is recredited, they can use it to buy things that they want or can sell.

Our story with flipkart hacking: My brother shifted to US some eight months back. He had some gift cards in flipkart. My son had birthday in Sept, and he wanted to ship something for him. To his surprise, his account already had a delivery pending for some address near Mumbai. He was unable to do anything on the app and it was showing ‘account invalid’.

I contacted flipkart on his behalf through phone and they said that he can change the password if he goes through Desktop version and generate OTP. To our benefit, he had stored the password on the desktop version in Google password manager and it worked. He could quickly change the password and deleted the addresses which the hacker had put in.

Now his flipkart account doesn't have any money left!

[ph03n!x]

Quote:

Originally Posted by MT_Hyderabad

First thing first, they cancelled to find out if the money was paid through a gift card. Once it is recredited, they can use it to buy things that they want or can sell.
...

But they won't get any giftcard refunded unless Flipkart comes home to pick up what they delivered, right? Or does Flipkart is so proactive that they refund the card first and pick up later? I haven't used a giftcard with then yet, but good to know this

[MT_Hyderabad]

Quote:

Originally Posted by ph03n!x

But they won't get any giftcard refunded unless Flipkart comes home to pick up what they delivered, right? Or does Flipkart is so proactive that they refund the card first and pick up later? I haven't used a giftcard with then yet, but good to know this

If you paid through a gift card, when you cancel the delivery before it reaches you, you get the gift card money back in the gift card account. This money can be immediately used for other shopping.

If something has been delivered, it has to reach back to the vendor before the gift card amount is refunded.

In your case, as you didnt pay through gift card, money will go back to the original mode of payment. Hacker will not get any benefit by cancelling your order. They just wanted a refund to show up somewhere to be able to use that money. By mistake, a delivered item can be returned by a family member and they wanted to take a chance!

[sagarpadaki]

Quote:

Originally Posted by MT_Hyderabad

If you paid through a gift card, when you cancel the delivery before it reaches you, you get the gift card money back in the gift card account. This money can be immediately used for other shopping.

This is strange SOP in flipkart. In Amazon, even if paid through Amazon Pay balance, the amount gets credited only after the return item has been picked up by the associate.

[dragonfire]

This happened to me too. I saw an email of an order that has been placed in my Flipkart account for a pen drive. I tried logging into the account, and it gave me a password incorrect message. Did an account recovery via OTP and saw that an order has been placed that was being shipped to some address in Gujarat. The hacker has used gift card balance in my account.

Cancelled the order and I went ahead and deleted all saved cards from my account. Also changed the password to a much complex one. This happened about six months ago, and so far, no issues.

[rnkgrg]

Not to dismiss your concerns, but if there is a list of devices available on your Flipkart profile, I think you should first crosscheck with that if there indeed was a third party login apart from you and your family. While the login emails certainly sound suspicious, as you yourself said, the family logging in on their devices is a far more likely explanation, since modern systems are very sophisticated in this regard at least.

A more likely explanation for your ordeal is that your order was cancelled by Flipkart or the seller rather than some hacker's play. This could be for several reasons - item going out of stock, technical glitch at Flipkart backend, or any other thousand reasons under the sun. In fact, a lot of people faced a similar auto cancellation issue during BBD for their iPhone 13 orders placed at the blockbuster ₹50,000 price for no fault of their own. I too have faced order cancellations from the seller several times albeit on Amazon.

And as someone who has casually browsed the forums containing such leaked databases, I don't think that this is the hackers' modus operandi. The whole operation is rather too cumbersome and risks exposure.

These hackers usually prefer anonymity and little to no account owner intervention. In fact, they target accounts with little activity so that the owner is not alerted.

They usually go for accounts with loaded wallet balance. They have sophisticated tools at their disposal that lets them check the leaked databases for accounts for several criteria - Wallet Balance, Availability of 2FA etc. The easiest ones - the ones with loaded balances, disabled 2FA - are used, the rest are discarded.

The UPI/OTP/Bank scammers and these account hackers/crackers are different from one another, with the former's prowess being impersonation and the latter's being technical know-how. I don't think either would/could breach the others' territory. Moreover, mixing the two just elaborates the operation unnecessarily. There are far more easier targets available to both of them.

All this being said, online safety is of paramount importance. It is obviously better to be safe than to be sorry.

[Ethnicul]

Quote:

Originally Posted by sagarpadaki

This is strange SOP in flipkart. In Amazon, even if paid through Amazon Pay balance, the amount gets credited only after the return item has been picked up by the associate.

What he meant was, if the item is yet to be delivered and one cancels, then the refund is made instantly.

[ph03n!x]

Quote:

Originally Posted by rnkgrg

...but if there is a list of devices available on your Flipkart profile, I think you should first crosscheck with that if there indeed was a third party login apart from you and your family.

...

A more likely explanation for your ordeal is that your order was cancelled by Flipkart or the seller rather than some hacker's play. This could be for several reasons - item going out of stock, technical glitch at Flipkart backend, or any other thousand reasons under the sun.

...

Amazon has this, list of devices logged in. Couldn't find that in Flipkart though.

Also, the entire fun started after delivery. A week of having the item with me, actually. I meant I had to cancel the return order that was raised when I said cancelled the cancellation!