Monday, September 2, 2019

My Wish.com Account Got Hacked

You are probably familiar with Wish.com. It's that website that sells a bunch of discounted crap, most of which is sourced from China. It almost certainly has shown up on your Facebook feed as a featured ad a few times over the years. Anyway, Wish.com is basically an e-commerce facilitator that allows sellers to list their products on the site and sell directly to the consumer. Wish doesn't stock the items, and instead acts as an intermediary handling payments. This has allowed Wish to become one of the leading platforms for selling counterfeit goods.

I bought something from Wish about five years ago and it was such utter crap that I never bothered to order anything off of the platform again. So, I found it pretty surprising when I got an e-mail from Wish.com stating that my account e-mail had been successfully changed to some account with a .ml extension. It was odd for two reasons: First off, I didn't request an account change. Second, even if I did, when making a change to the account e-mail address, a confirmation request should be sent to the original e-mail before such a change is authorized. That didn't happen. My only recourse was to e-mail Wish.com customer service who took two days to tell me that they had to escalate the matter due to its sensitive nature. Great. So the initial change isn't sensitive enough to merit added security, but the retraction of that change is.

It didn't really matter to me, because while I may have been dumb enough to open the account using an easy-to-guess password, I wasn't dumb enough to leave any of my credit card info in there. Even if I had, the info had likely expired years ago. But, it was the principle that mattered, so I pressed on. I sent a follow-up e-mail about four days after their first reply and suddenly, a new account had been created with my e-mail address. I went to log-in to the account and immediately clicked the "forgot password" feature. This allowed me to reset the password and log in. My order history was nowhere to be found. So, obviously, Wish.com decided that the easiest way to fix the problem was to just open up a new account for me using my old e-mail address.

So, what's the lesson here? Make sure all of your online accounts employ a strong password and use two-factor authentication where possible. Also, don't ever leave your credit card information in an app, unless you use a card that can issue virtual numbers that you can quickly expire.

No comments:

Post a Comment