eBay hack: Offer of Malaysian account details not authentic (Update 2)
By Gabey Goh May 23, 2014
- Leaked sample of predominantly Malaysian accounts purportedly offered as proof
- eBay denies info is authentic, still urges customers to change passwords
[Article updated with eBay statement to DNA]
FOLLOWING the disclosure by online marketplace eBay this week that hackers had gained access to the personal data of customers, offers to sell the data have surfaced with a sample of 12,000 accounts, predominantly Malaysian, being provided as proof. However, eBay denied the information is authentic.
"In response to your question, the published lists we have checked so far are not authentic eBay accounts. We still encourage users to go to eBay to change passwords," a spokesman told Digital News Asia (DNA) via email.
eBay first publicly disclosed a breach on Wednesday (May 21), stating that it discovered the hack about two weeks ago and that the database was compromised between late February and early March.
It did not disclose how much of the data within was copied, but the breach affects potentially all of its 233 million users worldwide.
There are at least half a dozen such offers to sell the stolen data circulating, each with a different contact email and Bitcoin address to send the cryto-currency to, with prices ranging from 0.5BTC to 1.453BTC (approx. US$257.74 to US$748.98 at current exchange rate).
One offer to sell instructed those interested in obtaining the full list to transfer bitcoins (BTC) to an address and contains a link to a downloadable file containing a sample of the leaked data as proof of the offer’s legitimacy.
With the description “sample dump of 12 663 users from apac region”, approximately 10,000 users are from Malaysia according to members of the local tech community who alerted Digital News Asia (DNA) to their discovery.
Once downloaded, the CSV file contains a list of names along with names, addresses, phone numbers, and password hashes, which can be decrypted to reveal the information.
A technology consultant based in Kuala Lumpur, Derek Chong, noted that people purporting to be selling the eBay dump have been “spreading quite a bit in the last few hours actually” (late Thursday night).
“I reckon there’s a fair chance those are fake as the timing's awful convenient. I mean, if they had them for two weeks and sat on them until the day after eBay announces the leak, it doesn’t make any sense,” he said when asked about the legitimacy of the claim.
“It’s likely just scammers trying to get people to send them bitcoins. I just wonder where they got the Malaysian user data from,” he added.
Security expert and freelance IT solutions provider @sniiffit echoed Chong’s scepticism on the legitimacy of the offer.
“The amount he's asking is a bit much, and with an example that I have to brute force myself? eBay has been in business for a long time; if I managed to get a dump of their database, I’d rather have it blown all out in the open rather than trying to sell it.
“But then again, everyone has different motivations to their actions. As it stands, we can’t verify the authenticity of the dataset, eBay will have to be the one to do that,” he added.
The hacked database contained information such as names, email addresses, birth dates, encrypted passwords, physical addresses, and phone numbers.
According to a New York Times report, eBay said that there was no indication that the attackers obtained financial information such as credit and debit card numbers or gained access to customer accounts at PayPal.
However, even with eBay reporting no evidence of fraudulent activity that could be linked to the breach, security experts have said that the stolen data could still be used for identity theft.