We are a high turnover business and are currently being targeted by a sophisticated scam involving sending 2nd change offers to bidders on our items. I believe the hack has taken place on the eBay site iteself to obtain the bidding information, and the full name and email address of the users that did in fact bid on the item, but not win it.

Through what I believe is a vulnerability in the security of eBay, the hackers have access to eBay's customer database and thus have access to personal information. There are no records of these 2nd chance offers being sent by our account itself. It is a sophisticated hack, taking advantage of us as the high value trader, and using eBay's records of bidding information, and user information. A complete phishing email can be contructed looking exactly as it would if sent from eBay, and being sent to the fraudulently obtained email address of 2nd 3rd and perhaps 4th highest bidders of the item. The hack takes two forms known to me. One uses an email address as a means to complete the fraudulent sale. The other reported to me only uses a PayPal account designed to received funds with a 'buy it now' link on the fraudulent 2nd chance offer. We have had numerous reports from over 10 individuals of this fraud who were previous bidders on our items over the past 4 weeks. There would undoubtedly be many many more instances of the scam taking place, but being unreported. 

I believe the hack requires an urgent bulletin posted on eBay, and/or a general email to users advising to extremely cautious of emails pertaining to 2nd chance offers. This hack should immediately be escalated to a senior security staff member at eBay, and not treated with the templated response as per eBay's usual reply. 

We have had reports from customers who have sent money, and presumably lost money due to this fraud. Frustratingly, after reporting this fraudulent activity, eBay has not taken any serious steps to investigate it. I have sent examples of the emails sent (as received from customers), and attempted to speak to higher levels of management. As stated, I believe the hack is taking place on the eBay site itself, therefore, if eBay don't have a solution, or have not been able to ascertain how this is occurring, it is obviously very embarrassing for eBay. This should not be reason enough to take urgent steps to advise customers to beware of this known problem.