kaushik160
Member

Hacked My Upwork Account

An Annonymous  person has added Payoneer payment method. And Withdrawn my all amount. 


There are 72 hours completed and till I have no update from Upwork on my Ticket on it.


I have asked for the bank account details / Phone number / Address information of the hacker who stolen amount via Payoneer Payment method.


Upwork customer care is just replying me with they are working on it. but there is no single action on it.

 

My Ticket number is 12105619 , where you can find hacker email ID and his Name on Payoneer.

"**Edited for Community Guidelines**"  is the person from Security department handling my ticket.

 

Can somebody help me on this ?

Regards
Kaushik

73 REPLIES 73
vladag
Community Manager
Community Manager

Hi Kaushik,

 

I'm sorry to hear your account was compromised. I see our team assisted you after you reported the incident, contacted Payoneer and have shared all the information we have as soon as you requested them. As stated by our agents on the main ticket and 15 additional tickets you created, we are waiting for a response from Payoneer in regards to the specific details you requested, as we don't have an insight into that information.

 

Please keep communicating on your main ticket and keep checking for updates our team will share once they have more information.

 

Thank you.

Untitled

Vladimir, Thank you so much for the reply.

 

It's about more than 72 hours completed. it means 3 days. And I am just getting infomation with "waiting".

 

I mean Upwork is not a small firm and even Payoneer is big firm. upwork  must have reply on this issues. it's very long interval.

 

Even Upwork don't have answer on how many hours, How many days , how many months to wait to get things solve.

 

It must be fast track process in such a case. and with high priority. And if you are considering "This is very high ticket/issues" then why you haven't resposne from payoneer. why such long dealy ??

 

 

There is no action at all at the moment.

vladag
Community Manager
Community Manager

Hi Kaushikbhai.

 

I do see that you requested the specific info on Tuesday and we have already contacted Payoneer regarding your request. We are still waiting for an update from their team.

Untitled

This qeury is not regarding to get just specific info that I have requested.

 

I requested those info , for my internal check out with those info.

 

But what upwork is doing in this situation to sort out this issues. to get money back.. ! nothing !! ? ?

 

 

The chance of getting your money back are close to 0.

 

It will have been turned into cash within minutes after the transaction. All Upwork can do is suspend the person who did it from the platform.

As Per my knowledge and experience with Payoneer , After withdrawing amount from upwork account it will be added to payoneer and it will be in bank account after 3 days.

 

 

 

 

 

 


@Bhavesh P wrote:

As Per my knowledge and experience with Payoneer , After withdrawing amount from upwork account it will be added to payoneer and it will be in bank account after 3 days.

 


 After withdrawing funds from Upwork to my Payoneer card I can go to an ATM and take the cash out within 10 minutes.

.

 

Hello Petra

 

How you can say like that "Upwork can do is suspend the person" .  There is no such a person in upwrok. it was via payment method in way of Payoneer.

 

Now  his payoneer Id is ****@consultant.com

And as I have refere the blog this type of email considering as hacker . then why upwork allow to add such a emailid as payment method.

 

and I don't get you comment with money back chance close to 0 as it will be take time to transfer amount from payoneer to local bank account


@Kaushikbhai P wrote:

and I don't get you comment with money back chance close to 0 as it will be take time to transfer amount from payoneer to local bank account


 Possibly. But it takes only minutes to drive or walk to the nearest ATM and withdraw it with the Payoneer card.

Vladimir,

 

Since Upwork is a financial institution would you suggest to them that they implement two-factor authentication like the banks, Google, Facebook, and Microsoft do?  That requires a code generated by or sent to your cell phone to log in (see the Google Authenticator app).  That makes this type of hacking impossible as someone who has stolen the user's password would not have stolen their cell phone too.

 

regards,

 

Walker

Wow. That's more than a little scary. I don't use Payoneer, and after this posting would be really uncomfortable with it. I wonder how often this kind of thing happens?


@Ona J B wrote:

Wow. That's more than a little scary. I don't use Payoneer, and after this posting would be really uncomfortable with it. I wonder how often this kind of thing happens?


It has nothing to do with having a Payoneer account. Somebody broke into his Upwork account and added a Payoneer account.

 

Upwork may want consider adding a two steps authentication, for instance by using Google authenticatior, in order to improve account security. People are so clueless about passwords and password stealing techniques that hacking into one's account is an easy exploit.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

Sir, Please read my reply to  Ona J B. for what is the possibility 

 

Hello Ona,

 

There is big mistake with notification/showing the message at added Payoneer  payment method

 

I haven't get the notification on my email due to hacker  got success with to break the security of upwork. 

 

and After successfully adding Payoneer method , you can see that Payonner( Your Upwok Account )  method. There is not emailId of that newly added Payoneer account.

 

How can someone identify  that this is somebody else Payoneer account as there is EmailID ( Or Name or Payoneer Account ) display in upwork ? 

 

The second main important things is Payoneer emailID is with XXXXX@consultant.com . You are big firm ( upwork -Payoneer) and how you allow user to add such email in payment method .

I am expecting this will be fix by upwork and also will resolve my issues at the mement. 

I've always felt that the security of my computer was my responsibility.  That if I didn't take steps to make sure that my accounts were protected by strong passwords, anti-malware software and two-step authentication, I would run the risk of being hacked.

 

Upwork really isn't responsible for your account security.  That is something you must attend to.  

Hello Christy, Hope you can read it properly . 

 

There is big mistake with notification/showing the message at added Payoneer  payment method

 

I haven't get the notification on my email due to hacker  got success with to break the security of upwork. 

 

and After successfully adding Payoneer method , you can see that Payonner( Your Upwok Account )  method. There is not emailId of that newly added Payoneer account.

 

How can someone identify  that this is somebody else Payoneer account as there is EmailID ( Or Name or Payoneer Account ) display in upwork ? 

 

The second main important things is Payoneer emailID is with XXXXX@consultant.com . You are big firm ( upwork -Payoneer) and how you allow user to add such email in payment method .

I am expecting this will be fixed by upwork and also will resolve my issue at the moment. 


@Kaushikbhai P wrote:
.........due to hacker  got success with to break the security of upwork.

 That sounds most unlikely.

 

What is almost certainly the case is that you were not hacked as such, but downloaded a virus / trojan / fell for a phishing scam which meant you handed your log in credentials to the person who then logged into your account using your credentials and changed the details.

 

I hope that you have since cleaned your computer and changed all passwords for everything....

lol @ "it could be an infected server."

 

Good grief people l2security.

 

The dude fell for a phishing scam or gave his credentials to someone. They ask you a security question before you log in on a different computer as well. He's not being entirely honest or he doesn't even realize he fell for a phishing scam.

 

Could be a keylogger too. Who knows but it's not "upwork infected servers." lulz If that were the case, this place would be inundated with hacked account questions.

What is equally likely is that hackers bought a stolen list of emails and passwords from the data breach at LinkedIn or other sites.  People tend to reuse the same password for each site.

 

 


@walker R wrote:

What is equally likely is that hackers bought a stolen list of emails and passwords from the data breach at LinkedIn or other sites.  People tend to reuse the same password for each site.

 

 


They would still need his secret question answer to log in. I think it's more likely he fell for the phishing scam that was being posted somewhat frequently a couple weeks ago. Some people just give others their credentials here too, so there is always that possibility. He's not going to admit to that because it's against ToS. 

Christy A we don't know how many people are facing this situation. Upwork server could also be infected, so you can't just blame freelancer.

 

Whole incident should be investigated properly.

Uplift Upwork Visual Style : Add-on
Link Removed

Yes are right Anil.

 

If this type of fishing  has been occurring then this is the open way to do to on any body upwork. and upwork failed to give it's security in this website. 

 

I have already written the scenario in one reply that how this hacking occur. 

 

 


@Kaushikbhai P wrote:

Yes are right Anil.

 

If this type of fishing  has been occurring then this is the open way to do to on any body upwork. and upwork failed to give it's security in this website. 

 

I have already written the scenario in one reply that how this hacking occur. 

 

 


lol how is it that YOU giving your credentials to a hacker or your buddy who isn't very honest is suddenly Upwork's fault? YOU gave them your credentials. YOU. Take responsiblity, own it, and do what is necessary to avoid it again in the future. 

Hello Jennifer,

 

I completely agree with what you are saying. But If I say that no one know my upwork password except me.

 

What do you say then ?  I think you haven't read whole discussion in this forum. please read mam. 

 

 

And lastly, I can say for you that I am not that much super that can  change someone negative mind. 

 

 


@Kaushikbhai P wrote:

Hello Jennifer,

 

I completely agree with what you are saying. But If I say that no one know my upwork password except me.

 

What do you say then ?  I think you haven't read whole discussion in this forum. please read mam. 

 

 

And lastly, I can say for you that I am not that much super that can  change someone negative mind. 

 

 


I say that you're either lying or in denial. Obviously, someone else has your password. Also, my suggestion is that if you use the same password for other accounts especially those with the same email that you change the password there too.

 

I would let Upwork do their thing, but I would also do what is necessary to protect other accounts and move away from the denial stage. 


@Kaushikbhai P wrote:

Hello Jennifer,

 

I completely agree with what you are saying. But If I say that no one know my upwork password except me.

 

 

 

 


Now it is obvious that somehow, somebody else gained knowledge of your password. So right now, there is at least two of you knowing it. Unless you have already changed it, which I would strongly recommend you to do if you haven't.

 

You may have fallen for a phishing scam without even realizing it. You learned your lesson and now on you will be more careful.

-----------
"Where darkness shines like dazzling light"   —William Ashbless


@Kaushikbhai P wrote:

 But If I say that no one know my upwork password except me.

 


 Then I am afraid you are still in danger, because there is still someone out there with your credentials, because with 99.9999 % certainty you fell for some scam somewhere which handed your log in credentials for heaven knows what else (!!) to the person who subsequently logged into (NOT "hacked") your account and did what they did.

Actually there is an excel file going around on Upworks that was hard to detect as a virus. I had it on my system as I thought it was a real client posting but I didn't do what it had asked because I found it odd. I did download it though and a virus scan didn't show that it was one. I got a warning from Upworks about the file. So things can happen and people need to be aware that you need to use extreme caution with files downloaded as examples from clients and even stuff from freelancers. I do think Upworks needs to do more to prevent it from happening. It took them 8 days or so to even send me a message that said I may have a virus. There should be a review for a clients/freelancers first couple of posts when they are new members or something. The phishing, scams, and other odd postings seem to be getting worse. 

 

Actually, It is Upworks responsibility as well to keep accounts safe. It's one of the purposes for me using this platform. lol to the people that think that isn't true. You're talking about this person and saying it's his fault and all, but it could happen to anyone really. It's the same thing I expect from a bank. It's my responsibility to keep my information secretive, but I also expect the bank to have securities to ensure my information is not disclosed. 


@Amanda F wrote:

I do think Upworks needs to do more to prevent it from happening. T


As said before, the fact that they are not using 2 steps authentication is a flaw in the system. And the "security questions" technique that they may be using, which may have been ok in the 2000s, is now obsolete. Less and less online companies use this.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

“And the 'security questions' technique that they may be using, which may have been ok in the 2000s, is now obsolete.”

 

So true.

 

 

For some sensitive activities such as withdrawals and changing account settings, perhaps Upwork should implement an OTP.

"Certa bonum certamen"

Yes Ravindra Sir, 

If they have implemented this OTP , then there will be very less chance on adding new payment methods. and what happened with me will never happen. 



@Amanda F wrote:

Actually there is an excel file going around on Upworks that was hard to detect as a virus. I had it on my system as I thought it was a real client posting but I didn't do what it had asked because I found it odd. I did download it though and a virus scan didn't show that it was one. I got a warning from Upworks about the file. So things can happen and people need to be aware that you need to use extreme caution with files downloaded as examples from clients and even stuff from freelancers. I do think Upworks needs to do more to prevent it from happening. It took them 8 days or so to even send me a message that said I may have a virus. There should be a review for a clients/freelancers first couple of posts when they are new members or something. The phishing, scams, and other odd postings seem to be getting worse. 

 

Actually, It is Upworks responsibility as well to keep accounts safe. It's one of the purposes for me using this platform. lol to the people that think that isn't true. You're talking about this person and saying it's his fault and all, but it could happen to anyone really. It's the same thing I expect from a bank. It's my responsibility to keep my information secretive, but I also expect the bank to have securities to ensure my information is not disclosed. 


If you give someone your banking credentials, they will tell you "well duh you gave them to the hacker." They are responsible to keep the data safe from their own breaches. Security is a collaborative effort where the user must be educated on what to look for when it comes to scam and phishing. 


@Jennifer M wrote:

If you give someone your banking credentials, they will tell you "well duh you gave them to the hacker." They are responsible to keep the data safe from their own breaches. Security is a collaborative effort where the user must be educated on what to look for when it comes to scam and phishing. 


Thank God the major Internet players out there realized some time ago that this is not the case and that the user being the weak link, they need to take security off users hands.

 

I know at least one tech-savvy person who shared your views and was loling about other being reckless about IT security. Until he was hacked big deal.

-----------
"Where darkness shines like dazzling light"   —William Ashbless


@Rene K wrote:
@Jennifer M wrote:

Thank God the major Internet players out there realized some time ago that this is not the case and that the user being the weak link, they need to take security off users hands.

 

I know at least one tech-savvy person who shared your views and was loling about other being reckless about IT security. Until he was hacked big deal.


 He ain't as good as me, Rene. 😉

 

Obviously.

Jen, I think you are just sort of repeating what I said though. Yes, it is a collaborative effort as I stated in my post. (I said we need to be careful too and not share your info) but Upworks should have better security too. I don't feel they have enough in place to stop this stuff from going on. You can say what you want but it's true. No need to blame the guy entirely, we don't know what exactly happened so the point is moot. He probably did take certain measures too, but could have fallen to downloading something, scanning it, and not realizing it had a virus. Not all virus stuff can be found right away with scanning software, but it can be looked at if it's odd. Those posts should still be seen as suspicious by upworks like when someone askes to enable macros, that type of posts should be looked into right away, not 12 days later(that is how long it took to make me aware I may have downloaded a virus). lol 

 

It would make sense to review new freelancers and clients for this type of activity for so many posts or at least have a better security system in place when it comes to your account and private information. 

kochubei_valeria
Community Manager
Community Manager

Hi Kaushikbhai,

 

The team will update you via the open ticket about their progress with Payoneer as soon as possible. Appropriate actions are also taken regarding the hacker's Payoneer account and the team will investigate this case further to see what can be done to remedy the situation. 

 

I would also like to confirm that Upwork servers are not infected and this is an individual case.

 

Thank you.

~ Valeria
Upwork

Hello Valeria,

 

Thank you for the response. 

 

Hope you have read my ticket 12105619 and also read the reply on the scenario on hacking.  

 

This is an individual  case. but this is open to all upwork account and may effect to many more people.

 

And for waiting on my ticket. Yes I am hoping for good and waiting for the reply in this ticket.

 

 

 

 

 

Hello Valeria 

Yes Just received a reply in my ticket with 40% recovery amount to my upwork account back. 

 

But what about remain 60% amount. 

Customer representative just replied with " The remaining amount cannot be recovered because they were spent by the hacker."


Now hacker is also a human. By his Payoneer account , Payoneer  has  his all the information . Can't they do legal action against him and try to recover those amount.

Why upwork Can't pay me if they can't recover it from the hacker or by legal action against him ,as up work is failed to make the security  what is my fault here. ? 

Or why they can't go against legal action against Payoneer as Payoneer is allowing to add such account with email having XXX@consultant.com