Less than 24 hours after e-commerce giant eBay admitted to hackers illegally accessing millions of encrypted passwords and personal data after a cyber attack on its corporate network, several Pastebin posts have surfaced claiming to be selling personal records allegedly obtained from the breach.
One of the more prominent anonymous postings is selling the data for 1.453 BTC, or $753. The anonymous user linked to a sample information dump containing personal information from 12,663 users in the Asia Pacific region. I downloaded the sample, and it includes names, the supposedly encrypted passwords, email and physical addresses, phone numbers and birth dates. Still, there’s no way of knowing if this data is legitimate, and more specifically, if it belongs to those users victimized from the most recent eBay cyber attack.
We’ve found one other Pastebin post claiming to have eBay users’ personal information—the post seems less sophisticated and thus less likely to be legitimate. We remain highly skeptical of all of these anonymous posts, but one thing is certain: A cyber attack most certainly did occur, and eBay users should definitely change their passwords immediately.
eBay said Wednesday no financial data was compromised in the attack—just personal details like names, encrypted passwords, emails and physical addresses, phone numbers, and dates of birth. Though if a hacker cracks your encrypted eBay password, they could try and match you username and email address and try elsewhere, say, for instance, your PayPal account.
It is still unclear who is behind the attack, but eBay said it is working with security researchers and law enforcement officials to find out. In the meantime, just change your password already.
Update 11:26 AM: As cybersecurity reporter Brian Krebs points out, the Pastebin posts are most likely attempts to steal Bitcoins. However, it’s possible the real attackers may try and sell this data eventually—perhaps not over Pastebin—so your personal data is likely still at risk.
Update 5/23 5:00 PM: eBay says the database is not authentic.
Lead image courtesy of jessicalstreit on Flickr