Depop: 'I felt so violated when my account was hacked'

When Amelia Strike, 21, was logged out of her Depop social shopping app account in October, nothing seemed out of the ordinary.

"I thought I had just forgotten my password when I couldn't get back in, but a couple of days passed and I realised something wasn't right," says the Birmingham-based law student.

She then received a message from a stranger on Instagram, alerting her to the fact that her account had been taken over by a scammer advertising Apple AirPod headphones for £50.

She immediately used her brother's Depop account to comment on the offending post and contact the app. It was removed by the firm in a few hours and her password was reset.

But when Ms Strike logged back in, she was shocked by what she found.

"I felt sick - I scrolled and scrolled through hundreds of messages people had sent the scammer," she says.

The fraudster had been instructing shoppers to pay them directly through PayPal's "Friends and Family" option, which sidesteps Depop's fees and doesn't offer any protection for buyers.

Ms Strike counted at least three Depop users who made unauthorised payments of £50 to the scammer.

In Ms Strike's situation, to get users to trust scam listing, the hacker had also uploaded a photo of her name on a post-it note next to the headphones that were supposedly for sale.

This is a common tactic used by people selling second-hand items online, to prove that the photos were not stolen from another listing.

"I just felt so violated," she says.

She is not alone - 14 other users have told BBC News that their Depop accounts have been hacked in recent months. In all cases, the fraudsters demanded to be paid directly, rather than through the app.

Blending the look and social elements of Instagram with the buy-and-sell format of eBay, 90% of Depop's users are aged 26 or under.

Emily Goold, 21, a journalism student in Tewkesbury, was scared when her account was hacked and a fraudster posted a listing for a £350 jacket.

Depop took the listing down within 12 hours and reset her password, but Ms Goold says such incidents are becoming commonplace.

"You always know somebody who's had a Depop horror story. It's such a widespread problem now."

Scammers have continued to plague many online services through the pandemic.

One "have a go" method called "credential stuffing" involves using automated tools to repeatedly log into accounts, entering usernames and password information previously exposed from data breaches of other popular online services.

If a user doesn't use the same password on multiple services or has changed their passwords after being exposed in a data breach, this won't work.

According to Liv Rowley, a threat intelligence analyst at cyber-security firm Blueliv, cyber criminals are now targeting Depop accounts on an "industrial scale" using this method, capitalising on the fact that people often use similar passwords.

Depop told the BBC that the safety and security of its community is its "number one priority", and that the service has never had a data breach or had its infrastructure compromised.

The firm confirmed that credential stuffing is a big part of the problem.

"Weak passwords and the use of the same password across multiple accounts is the greatest source of account takeover, which is why we have initiated a campaign in the second half of 2020 to force some users to strengthen their passwords and to remind others of the importance of strong and unique passwords," says Depop's chief operating officer Dominic Rose.

Depop has started resetting passwords for some 12 million users that have not changed them in over a year and told the BBC it had sent reminders to a similar number to make sure their log-in details are unique.

"We will continue to remind our community about the importance of account security and updating their passwords."

The firm, founded in 2011, told the BBC that although the number of its users increased nearly two-fold to 26 million last year, it had seen a 50% decrease in account "takeovers" since its campaign began.

But Blueliv found that login details for several thousand hacked Depop accounts are being advertised for as little as $1.05 (77p) each on the dark web - a part of the internet that is only accessible using specialised tools.

While a Vice investigation first highlighted the problem in May, there is now evidence that account logins are being sold across multiple dark web "marketplaces".

The information for sale includes usernames and passwords, with extra charged for details such as follower count, the number of sales completed by a user and their ratings by other shoppers.

"The accounts are being compromised and that definitely is concerning," Ms Rowley says. "While it's not a Depop-specific problem, I think [credential stuffing] is one we're going to see expand in the next five years."

One Depop user told the BBC they would feel "much more comfortable" if the app introduced two-factor authentication, where users enter a one-time code sent to them via email or text, for example, after attempting to sign in.

Depop confirmed that it intends to implement multi-factor authentication in 2021.

But Aman Johal, director at law firm Your Lawyers, which specialises in consumer action claims, says the platform needs to act urgently, "particularly given its relatively young user base, where the duty of care is greater".

"The fact that this has been going on for months...is unacceptable. Given the volume of compromised accounts for sale, the horse has already bolted," he added.

For some users, trust in the company has been dented.

"I feel like their security measures need to be amped up because it's just not good enough," says Ms Strike, who has been a Depop user since 2015.

"I've used [Depop] for a long time but I'm reluctant to continue because it just doesn't feel safe anymore."