EBay Probes Supposed User Lists Sold on Black Market

Apparently, there isn’t much honor among e-thieves.

EBay (NASDAQ:EBAY) told FOX Business Thursday that databases cyber crooks are selling on the digital black market claiming to contain its user database thus far have all turned out to be bogus.

The cyber security community has been atwitter with talk about the breach of eBay’s corporate network and user database. The database in question contained a slew of information, including names, telephone numbers, dates of birth, physical addresses and encrypted passwords.

Since the e-commerce giant sports 145 million active users, such a cache of personal data could be tantalizing for hackers looking to commit illicit activities. Experts said it’s more likely the information would be combined with other datasets (particularly ones with financial data) to make it more valuable.

In an unsurprising turn of events, postings promising the full database have popped up on forums hackers frequent. In one offer, on a website called Pastebin, the dataset is on sale for 1.453 bitcoin, which equates to about $760.85. Bitcoin, the cyber currency, is preferred among hackers for its anonymity.

As proof, the listing offers a sample “containing 12,663 entries with names (mostly Asian), hashed passwords (encrypted with PBKDF2 SHA-256), email addresses, physical addresses, phone numbers, and dates of birth,” a security analyst who requested anonymity because of the sensitivity of the matter said in a note to clients.

The individual said “while analysts should be immediately critical of any such claims, this one shows promise of being legitimate.”

“A cursory search over the data suggests that this is a new data dump, with entries not seen elsewhere in the public domain,” he added.

Liron Damri, who worked at eBay’s PayPal unit for half-a-decade, specializing in modeling account takeover issues, had a different take.

“I really have doubts about the data,” Damri, who is now COO at a fraud prevention firm called Forter, said in an interview with FOX Business. He said that while he couldn’t be certain the database was completely bogus, there were several factors that set off alarms. One key issue was that portions of the table lacked consistency, and certain fields that are mandatory weren’t present in the way he would have expected.

EBay spokesperson Kari Ramirez told FOX Business “the published lists we have checked so far are not authentic eBay accounts.” However, she wouldn’t comment on the authenticity of the particular list in question.

The Federal Bureau of Investigation’s San Francisco field office has been assisting San Jose, California-based eBay in its probe. A spokesperson declined to comment on the list, citing the ongoing nature of the investigation.

Ramirez restated the firm’s suggestion that all users reset their passwords. Forter’s Damri also said users should take a close look at their bank accounts and make sure there aren’t any fraudulent charges since it remains unclear exactly what the hackers plan on doing with the data.