Rumours circulated last night that the 145 million eBay records were available for sale for around £450.
A pastebin statement claimed to have the “full eBay database dump with 145, 312, 663 unique records” and asked for 1.453 in Bitcoin. The seller did not respond to an email sent by IT Security Guru.
Analysis by Kenn White, Rapid7 and Per Thorsheim determined the database to be fake, and eBay also confirmed that it was not genuine. Rapid 7 global security strategist Trey Ford, said: “It’s not uncommon for criminals to spot an opportunity to cash in on an attack by offering false credentials for sale. This happened with the LivingSocial breach too.”
The seller offered a sample database of 12,663 credentials, which Ford said offered matches between email addresses and a popular Malaysian web forum, which may point to the true source of these credentials. “We have no way to confirm how statistically representative the leaked APAC sample is of the broader dataset, or whether this site is the true source,” he said.
“While we don’t think the credentials on pastebin are from eBay, it is interesting to note that cracking the passwords in the sample that was shared would take considerable time. This is nothing like what we saw when LinkedIn was breached and the stolen credentials were quickly cracked due to only SHA-1 hashing being used for storage.”
Lysa Myers, security researcher at ESET, said: “The users that are shown in the sample would represent an odd subset of users for an international company like eBay. The price asked (1.45 Bitcoin) would seem to be astonishingly low for the data of 145 million users. Even if the sample is not in fact from the eBay breach, it could potentially be data could be from another company’s leak.”
Analysis by AppRiver found that those selling the database switched their Bitcoin wallet at least twice over the course of the night, with claims that the seller may be making efforts to diversify, or that this was a honeypot set by authorities to lure in would be buyers.
Jon French, security analyst at AppRiver, said: “If you search pastebin, there are a few posts similar to this one and some with people claiming they did it.
“This could be leaked data from another breach, or just a well made fake that was fed some good starting data. But there is a lot of unique information in the file, and it varies pretty well in things like the domains, names, and birthdays, so I assume it may be real at least in some sense.
“The complete file with all 145 million people looks like it would be around 22 gigs too, that’s big and sounds about right. The Adobe breach file was about 9 gigs (153 million users) but had probably about half the data per line.”
Stephen Coty, chief security evangelist at Alert Logic, said that analysis of the data found that the password was encrypted with a sha 256 algorithm and even if you salted them, it would still take years to brute force the passwords in this database.
“So you would have to change technique and start utilising rainbow tables and attempt to brute force weak passwords,” he said. “This is assuming they did not get the encryption keys while they were are on the network, but these types of details have not been released. There are a lot of valid companies on t
he list of domains in the downloadable file.”