Skip to main content

Hacked eBay account details being sold, but they’re almost certainly fake

This week's major security incident involved eBay, and as you've no doubt seen, the company was the victim of hackers a couple of months back.

The attackers managed to get hold of eBay employee logins to access the system and strip personal details on eBay accounts including postal addresses, phone numbers, email addresses and passwords – with eBay only noticing the intrusion a fortnight ago, and being rather lackadaisical to react when it did finally spot that something was up.

And now, the predictable has happened – some enterprising ne'er-do-well is flogging a claimed copy of an eBay user database dump chock full of said details, with an ad on Pastebin offering a purported 145 million records for 1.45 Bitcoins.

However, rather than a 'genuine' sale of the proceeds of the theft, it seems that this offer is somebody trying to cash in on the eBay security breach, and rip-off the rip-off merchants.

eBay told the Register that the details on offer were fake. The auction site said: "We have checked all published data and so far none are authentic eBay accounts."

A data sample from the alleged database dump has been put on Mega – although minus the passwords – allowing independent security experts to take a look through, and most are pretty sceptical about the veracity of the data on offer.

Security expert Kenn White took a quick sample from the Mega data and found that ten out of ten emails were "all found in well-known public leak DBs [databases]".

Brian Krebs called the list Bitcoin bait, after employing a simple test in which he tried to make a new eBay account using five of the sample email addresses (as if an account exists, you wouldn't be able to make a second one using that email). However, he successfully registered all five.

Krebs also spoke to Allison Nixon, a threat researcher with Deloitte & Touche LLP, who performed a similar experiment with similar results. Nixon commented: "It's worth noting that we saw nearly the exact same scams – an offer on Pastebin to sell a list in exchange for Bitcoins – right after the LinkedIn breach last year. That offer also turned out to be fake."

eBay has been roundly criticised over its rather slapdash response to getting users to change their passwords this week, as we highlighted in our closer look at how badly eBay handled its database breach.

Needless to say, you should go and change your eBay password if you haven't done so yet. However, while passwords can be changed, phone numbers, postal addresses and dates of birth can't – which could be the real impact of this data spillage.