Taking advantage by the cyber-attack that was revealed on Wednesday a hacker claimed to possess a copy of the stolen database containing personal information of Ebay’s customers. The auction site came public and declared that the copy was not authentic.
The hacker wanted to sell the database online, through Pastebin which is type of web application where anyone can store text for a certain period of time, anonymous. The selling price started from 1.45 Bitcoin, meaning about £447.
To proof the databases integrity (it contained up to 145 million contacts), the hacker provided a preview of 3,000 rows from it providing user names, addresses, phone numbers and dates of birth.
During an interview to The Guardian, one of eBay’s spokesperson said that the information from the provided rows do not belong to its users “The published lists we have checked so far are not authentic eBay accounts“.
Security experts from Digital Shadows are trying to narrow down the source of the extract. As far as they can tell, after correlating the public data from the hacker with public information from Facebook, the names are real even if they do not come from the auction’s site.
Rik Ferguson , Global Vice President of security research at Trend Micro company explains that “It is always tough to tell whether the data is genuine in situations like this“. The Vice President later confirmed that the hackers’ database was probably just a scam “The email addresses I have tested so far do not appear to be sourced from previous breaches“.
Until May, due to no “unusual activity“, eBay didn’t discover that they had been hacked. After repeated attempts to reach the database (unauthorized access), the company understood what was happening. Fortunately, from the end of February to the beginning of March, only one or two identities were stolen – the company declared to The Guardian. The good news is that those identities can’t be used to register on PayPal or GumTree (owned by eBay as well).
After the break through, naturally, eBay asked their users to change their passwords (with a total of 233 million registered accounts and 145 million active users, 14 million users only in UK).
The company was criticized for not encrypting all the information that belonged to its users such as their names, email addresses, physical addresses, phone numbers and dates of birth. As Ferguson said “It is inexcusable for a company the size of eBay with the amount of data it holds to not encrypt all personal information held”.
eBay’s spokesman explained that they “Use different levels of security based on different types of information we’re storing, and all financial information across all of eBay’s businesses is encrypted”.
The repercussions of this cyber-attack will probably be felt for a long time after the break-in by eBays users as Hugh Boyes from the Institution of Engineering and Technology states “I am concerned that not only have they lost my email, username and password, but according to their website the loss includes home address, phone number and date of birth. This is serious from an identity theft perspective. The only item they are missing is mother’s maiden name and they have sufficient information to impersonate an individual when dealing with many financial organizations”.
Although the breach is investigated through legal ways by Ebay, the evidence that the user accounts have been compromised is still missing.