In the wake of eBay’s disclosure that a breach may have exposed the personal data on tens of millions of users, several readers have written in to point out an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds.
The advertisement, posted on Pastebin here, promises a “full ebay user database dump with 145, 312, 663 unique records”, for sale to anyone who sends 1.453 bitcoins to a specific bitcoin wallet. The ad includes a link to a supposed “sample dump” of some 12,663 users from the Asia-Pacific region.
There is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five.
For a sanity check on my results, I reached out to Allison Nixon, a threat researcher with Deloitte & Touche LLP (and one of the best sources I’ve met for vetting and debunking these supposed “leaks”). Nixon did the same, and came away with identical results.
“A lot of this is inference — finding out whether an account exists,” Nixon said. “A lot of the time if they generate fake leaks, they’re not doing it based on data from real accounts, because if they did then they might as well hack the real web site.”
eBay does maintain separate domains for different regions and countries, including ebay.co.uk (Great Britain), ebay.cn (China) and ebay.com.au (Australia), but testing indicates that all of these eBay sites use the same accounts database.
It’s worth noting that we saw nearly the exact same scams — an offer on Pastebin to sell a list in exchange for bitcoins — right after the LinkedIn breach last year. That offer also turned out to be fake.
Nixon posits that the main target of these fake leak scammers are probably security companies eager enough to verify the data that they might just buy it to find out. Interestingly, I did have one security company approach me today about the feasibility of purchasing the data, although I managed to talk them out of it.
“I think the target victim is a security company trying to verify,” Nixon said. “Only they would have that sort of money.”