eBay breach data for sale, believed a fraud

News by Steve Gold

But it could be the real thing and you might find out if you have 1.45 bitcoins to spare.

Hard on the heels of eBay admitting to a data breach potentially involving its full complement of 140 million plus users, an advert has appeared on the Pastebin data sharing site, offering the "full eBay user database dump with 145,312,663 unique records," in return for a payment of 1.453 bitcoins. The advert also includes a sample dump of more than 12,000 users from the Asia-Pacific region.

Several security experts claim to have analysed the sample data and, whilst some say it is legitimate, others say it is not.

Leading security researcherBrian Krebs, for example, says that, after attempting to register five email addresses from the data dump, eBay allowed him to create new accounts - normally this is not possible.

eBay, he says in his analysis, "does maintain separate domains for different regions and countries, including ebay.co.uk (Great Britain), ebay.cn (China) and ebay.com.au (Australia), but testing indicates that all of these eBay sites use the same accounts database."

Lysa Myers, a security researcher at ESET, meanwhile, is also sceptical as to the veracity of the database, noting that the price of 1.45 bitcoins does seem to be "astonishingly low" for the data on 145m users.

"Even if the sample is not in fact from the eBay breach, it could potentially be data from another company's leak," she says in her security blog, adding that there is still a risk that users' eBay accounts are linked to their PayPal service, which is owned by eBay.

Linked accounts, she goes on to say, "can provide criminals an easier way in to a wider variety of data, as they infer authentication across different services."

Jon French, a security analyst with AppRiver, says his research suggests the eBay database being offered on Pastebin is legitimate – as, if you search the file-sharing service, there are a few posts similar to the Bay offer, and some with people claiming they carried out the attack.

"I don't doubt people are putting out fake data to try and get some money but the link posted with the file looks to be somewhat legitimate. As in the data looks like it may be real but there's no way to tell if it's real from eBay. This could be leaked data from another breach or just a well made fake that was fed some good starting data," he said.

"But there is a lot of unique information in the file and it varies pretty well in things like the domains, names, and birthdays. So I assume it may be real at least in some sense. I'll be wary of anything like this until I see people saying they see their own names (or if I end up seeing mine)," he added.

"Eventually if the pastebin offer is legit, someone will post the file for free somewhere or some security company that buys it will verify authenticity. If it's fake, that person is bound to get a couple grand from this scheme," he went on to say, noting that - with a 22GB size - the scale of the file sounds about right.

Still at risk

Just to make life interesting, the Mashable newswire says that eBay users many still be at risk of an attack, even if - as eBay suggests - they change their passwords.

This reasoning is based on the fact that eBay account data includes the name of the user, an encrypted password, an email plus physical address, phone number and date of birth.

"That's a lot of important information. In fact, as the attack against Wired reporter Mat Honan demonstrated, access to just a bit of personal information — like a phone number, email and physical address — paired with good old-fashioned social engineering can lead to massive amounts of damage," says the IT newswire.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews