If a hacker were to obtain a shipping tracking number what could be compromised?

I this happened to me by an Ebay scammer. UPS is very difficult to work with and it is almost impossible to speak to a person. The scammers know that you have limited ability to solve the problem because of privacy policies at the shipping companies. Since you are not the addressee, they will not give out information about the shipment. With enough persistence, I was able to speak to a customer service "manager" who broke UPS protocol and emailed me a statement saying the package was not shipped by the seller and was not addressed to me. Armed with that information, I was able to have Paypal rule in my favor and issue a refund.

The shipping companies and eBay all know about this scam but, are not doing anything to prevent it. One simple solution is for the shipping companies and ebay to communicate with each other. The scammers would lose the incentive.

I had this happen. UPS/PayPal is not acknowledging the issue. My credit card company has at least temporarily, reimbursed my account. I will not be using PayPal anymore until they create a more robust methodology to validate UPS tracking numbers with the intended recipients.

"A hacker with access to the UPS tracking database can make bogus sales online, using PayPal to take payment. They then watch the UPS system for another package matching the date and delivery area or town, copy that number and send it to Paypal for their bogus sale. The unwitting buyer watches the tracking across the country, right to their town, but the package never arrives. UPS will confirm the package was delivered, (the original, legitimate one was), but the scammed buyer has nothing. Buyer then opens a dispute claim with PayPal, who sides with seller, (because the tracking number says it was delivered), and will not refund money to buyer, or go after hacker/seller. It is ingenious, and, I'm sure, very profitable. The scammed buyer must contact UPS and try to get delivery confirmation proof that is was delivered to another address, and provide that proof to PayPal in order to try to reopen the case and get a refund."

A hacker with access to the UPS tracking database can make bogus sales online, using PayPal to take payment. They then watch the UPS system for another package matching the date and delivery area or town, copy that number and send it to Paypal for their bogus sale. The unwitting buyer watches the tracking across the country, right to their town, but the package never arrives. UPS will confirm the package was delivered, (the original, legitimate one was), but the scammed buyer has nothing. Buyer then opens a dispute claim with PayPal, who sides with seller, (because the tracking number says it was delivered), and will not refund money to buyer, or go after hacker/seller. It is ingenious, and, I'm sure, very profitable. The scammed buyer must contact UPS and try to get delivery confirmation proof that is was delivered to another address, and provide that proof to PayPal in order to try to reopen the case and get a refund.

I just had my iPad shipment re-routed from FedEx to a local store where the thief signed for the package with a name almost exactly as mine. I ordered the iPad via cell phone/internet without wifi connected. I checked the routing a few times via the same cell phone...

Somehow the thief now has my iPad and FedEx says there is nothing they can do about it.

This depends on the service used to ship the goods. Certain services (e.g. GLS in Germany) will allow you to reroute the parcel to a nearby GLS-Hub after it has been sent on its way. By using social engineering and the hotlines of delivery services one might be able to divert parcels of other services too. Most delivery services will only allow you to redirect a parcel to a "safe location" this will be an office of the service provider that you will force you to prove your identity to pick it up.

Regarding personal information: DHL in Germany requires you to know the destination ZIP-Code to track a parcel in detail. Other providers might leak information through their tracking portals.

This said, the attacker will most certainly not be able to steal the parcel, but will be able to delay the shipment by certain periods.

A hacker that just has a tracking number won't be able to do very much with it on it's own. However, if a hacker can gain access to the logistics database of the shipping company's entire operation, that tracking number, if the hacker so chooses, can then change the destination address in the system as an update and pretend that you initiated that change. In this way, they could have packages dropped at random addresses where the hacker would then personally pick up the package and sign your name to complete. The shipping company will see your signature and will believe that you received your package.

However such logistics systems are usually heavily monitored and in my research on the subject, I don't find many cases of such a risky hack occurring. Though it is not implausible.