In the wake of eBay’s disclosure that a breach may have exposed the personal data on tens of millions of users, several readers have written in to point out an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds.
The advertisement, posted on Pastebin here, promises a “full ebay user database dump with 145, 312, 663 unique records”, for sale to anyone who sends 1.453 bitcoins to a specific bitcoin wallet. The ad includes a link to a supposed “sample dump” of some 12,663 users from the Asia-Pacific region.
There is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five.
For a sanity check on my results, I reached out to Allison Nixon, a threat researcher with Deloitte & Touche LLP (and one of the best sources I’ve met for vetting and debunking these supposed “leaks”). Nixon did the same, and came away with identical results.
“A lot of this is inference — finding out whether an account exists,” Nixon said. “A lot of the time if they generate fake leaks, they’re not doing it based on data from real accounts, because if they did then they might as well hack the real web site.” Continue reading →