James Lyne
Contributor
I write about security, hacking and malware.
full bio →
Opinions expressed by Forbes Contributors are their own.
Tech 2,293 views
Your eBay Password For Sale? How, Where And Why
Comment Now
Follow Comments
Since the eBay Inc announcement of a massive data breach a
seller has turned up on Pastebin (a notorious site used for posting
anonymously that is often used by hacktivists dumping data from hacks)
offering a full copy of the 145,312,663 usernames, passwords, postal
addresses and date of births from eBay. The seller has posted a sample
of the database with 12,663 users from the APAC region including
password hashes, e-mail addresses and postal addresses and is requesting
payment by Bitcoin. This has naturally inspired a flurry of media
coverage in the last few hours as your information appears to be on sale
right now.
Except, I’m not so sure it is. Let’s take a look at the advert posted by the seller and dissect what we can.
The seller is requesting 1.453 Bitcoins which at present rates is about $770. He requests that you send the money to his address along with the transaction ID to a hushmail account (which provides privacy and makes the e-mail rather hard to track). This seems like a relatively low price for the data, but then anyone buying the list would have to do rather a lot of password cracking to reveal the passwords. The seller e-mail and login ‘KbcdPfA@hushmail.com’ appears to have been created for the purpose of this post as Pastebin shows us no other posts (or broader refences) directly linked to this login online. Of course, what is interesting here is that the attacker has created one address for everyone to pay and hasn’t used Bitcoin ‘properly’ if he wants to privately transact with lots of individuals. That means we can go to a site and look at the Blockchain (put another way the list of people who have paid this supposed seller!)
Note that this list is empty, so at the time of writing no one has paid this seller for the data. However, if we dive in to the sample data file from the seller we see a large number of names, emails, hashed passwords and addresses – it looks awfully legitimate. eBay has confirmed that this data is NOT their users data (and they have it so validating it should be easy) . But let’s do a little more digging. If we take the text of the article and search on Pastebin and other sites for similar text we find a flurry of pretty much identical offers, except using different Bitcoin addresses and different prices. Always good to shop around before buying a huge database of 145 million users passwords I suppose. Take a look at this one:
This one is asking for only 0.5BTC (what a bargain!) or you can pay in Litecoins if you want. Again they offer an address for payment and if we look it up things get VERY interesting. Take a look at this blockchain address which shows all the transactions processed against the address:
You are probably crying looking at your screen right now – at least I was. This account has processed the present exchange rate of millions of dollars of Bitcoins. They have of course by majority been shunted off elsewhere now. Feel free to go digging through the transactions more – it is quite interesting. Of course, there are other activities associated with this address not just this scam (the values vary significantly) but we can infer quite a lot about how this money is being made given the advert! A quick scan of a couple of the other bitcoin addresses in the other adverts shows a little more money moving around and many of them match the advertised values. We have buyers. Interesting.
The last step is to validate the data. A quick assessment of the e-mail list shows there are big problems. If you connect to the mail server of some of the listed users and try to address the e-mail you find that the mail server rejects the user as invalid. Not all mail servers operate this way but I found a fair few that did and there was a very statistically high percentage of accounts I tried which were rejected suggesting that the list has been automatically generated or taken from an older data set. In short, it’s a scam. A very well timed, clever scam that has everyone very excited . That said, you should still take note.
Whenever a large event occurs on the Internet (particularly a data breach) cyber criminals are quick to use it as the lynch pin of their latest scam. For some time now you will see a heightened number of fake password re-set or identity validation spam messages trying to snare users in to giving up details. We are likely to see many more offers for sale of the eBay data (I suspect the attacker if he has the real data will slowly syphon it off slowly through known criminal forums where such data is sold) and as I wrote in my previous article more announcements as the attackers prove to have accessed more than expected.
If you use or used eBay you should go and change your password (see my tips here), keep an extra eye out for scams and eBay please could you add detail to your statement that the passwords are ‘encrypted’ so that we can assess the risk of the passwords being cracked. It is easy to say encryption but that could be anything from a paper bag to a heavily guarded vault depending on the implementation. Watch this space.
Follow James Lyne on Twitter, @jameslyne
Except, I’m not so sure it is. Let’s take a look at the advert posted by the seller and dissect what we can.
The seller is requesting 1.453 Bitcoins which at present rates is about $770. He requests that you send the money to his address along with the transaction ID to a hushmail account (which provides privacy and makes the e-mail rather hard to track). This seems like a relatively low price for the data, but then anyone buying the list would have to do rather a lot of password cracking to reveal the passwords. The seller e-mail and login ‘KbcdPfA@hushmail.com’ appears to have been created for the purpose of this post as Pastebin shows us no other posts (or broader refences) directly linked to this login online. Of course, what is interesting here is that the attacker has created one address for everyone to pay and hasn’t used Bitcoin ‘properly’ if he wants to privately transact with lots of individuals. That means we can go to a site and look at the Blockchain (put another way the list of people who have paid this supposed seller!)
Note that this list is empty, so at the time of writing no one has paid this seller for the data. However, if we dive in to the sample data file from the seller we see a large number of names, emails, hashed passwords and addresses – it looks awfully legitimate. eBay has confirmed that this data is NOT their users data (and they have it so validating it should be easy) . But let’s do a little more digging. If we take the text of the article and search on Pastebin and other sites for similar text we find a flurry of pretty much identical offers, except using different Bitcoin addresses and different prices. Always good to shop around before buying a huge database of 145 million users passwords I suppose. Take a look at this one:
This one is asking for only 0.5BTC (what a bargain!) or you can pay in Litecoins if you want. Again they offer an address for payment and if we look it up things get VERY interesting. Take a look at this blockchain address which shows all the transactions processed against the address:
You are probably crying looking at your screen right now – at least I was. This account has processed the present exchange rate of millions of dollars of Bitcoins. They have of course by majority been shunted off elsewhere now. Feel free to go digging through the transactions more – it is quite interesting. Of course, there are other activities associated with this address not just this scam (the values vary significantly) but we can infer quite a lot about how this money is being made given the advert! A quick scan of a couple of the other bitcoin addresses in the other adverts shows a little more money moving around and many of them match the advertised values. We have buyers. Interesting.
The last step is to validate the data. A quick assessment of the e-mail list shows there are big problems. If you connect to the mail server of some of the listed users and try to address the e-mail you find that the mail server rejects the user as invalid. Not all mail servers operate this way but I found a fair few that did and there was a very statistically high percentage of accounts I tried which were rejected suggesting that the list has been automatically generated or taken from an older data set. In short, it’s a scam. A very well timed, clever scam that has everyone very excited . That said, you should still take note.
Whenever a large event occurs on the Internet (particularly a data breach) cyber criminals are quick to use it as the lynch pin of their latest scam. For some time now you will see a heightened number of fake password re-set or identity validation spam messages trying to snare users in to giving up details. We are likely to see many more offers for sale of the eBay data (I suspect the attacker if he has the real data will slowly syphon it off slowly through known criminal forums where such data is sold) and as I wrote in my previous article more announcements as the attackers prove to have accessed more than expected.
If you use or used eBay you should go and change your password (see my tips here), keep an extra eye out for scams and eBay please could you add detail to your statement that the passwords are ‘encrypted’ so that we can assess the risk of the passwords being cracked. It is easy to say encryption but that could be anything from a paper bag to a heavily guarded vault depending on the implementation. Watch this space.
Follow James Lyne on Twitter, @jameslyne
