As the world is well aware right now, eBay announced this week that hackers raided their network and had access to about 145 million user records. This is probably going to go down as one of the biggest data breaches in history. I mean 145 million unique records is kind of epic.
The attack, which is said to have taken place across the period of February and March, resulted in the company issuing a global statement encouraging people to change their passwords.
The eBay hackers gained access and copied the company’s database, which included details such as names, addresses, dates of births, email addresses and other limited personal information. However, according to an eBay spokesperson, no passwords or credit card details were compromised.
But that does not rule out identity theft or at the very least some very heavy cyber stalking if anyone was to get hold of the list; and I believe that I was able to do that last night. In fact I was able to download a spreadsheet of over 12,000 records that include names, addresses, emails, dates of births and contact numbers.
I stumbled across this yesterday when checking out a site from Amsterdam called Very Viral – which was created by the team at programmer sharing site pastebin. I then found myself over at pastebin.com and decided to check out the trending pastes to see if there was anything interesting happening in Australia at all and noticed what was creeping up the front page. It was a paste titled “full ebay user database dump with 145 312 663 unique records” so of course I clicked and saw this:
The price that user KbcdPfA had put on the apparent 145 million strong eBay database was 1.453 Bitcoin or around AUD$817.00 . My initial reaction was that it was a scam someone put out to get a few bucks through the door, however KbcdPfA provided a free sample of over 12,000 records to download in his paste.
I proceeded to download the sample database via New Zealand service MEGA where the file was housed. Sure enough the files contained all the details that were detailed in the pastebin post and matched the records that the Ebay spokesperson said had been compromised.
Most of the sample list contains Asian data. I went through the list and made contact with names on there that I picked at random. Two that responded but would not be part of this article were indeed eBay customers. I was also able to use the data to search other people I chose at random to find out information online. During my late night investigation I was able to find out scary amounts of information about people on the sample list, just from their online footprints and Google.
I uncovered Linkedin profiles, where people worked, their social networks, their friends, email trails between google groups, online invitations, photographs, their family members, where they lived and where exactly their homes were through Google Maps. And that was just me putting portions of information into various search engines. Imagine if I was actually a hacker.
eBay is currently working with law enforcement to investigate the breach. In addition to changing your eBay password, based on what I was able to find in around two hours, I would probably recommend changing other passwords too, and possibly even swapping email address for other services such as social networks to something else as well.
If you have any further info on this breach or have been targeted because of it let me know via firstname.lastname@example.org or submit an anonymous tip at the top of the page.