When the eBay Inc announcement hit of a massive data breach a seller has turned up on the website Pastebin (a notorious site used for posting anonymously that is often used by hacktivists dumping data from hacks) offering a full copy of eBay passwords for sale using Bitcoin and selling the data for only $770 requesting money to his personal address. The seller has posted a sample of the database with 12,663 users from the APAC region including password hashes, e-mail addresses and postal addresses and is requesting payment by Bitcoin. This has naturally inspired a flurry of media coverage in the last few hours as your information appears to be on sale right now. Where is John Donahoe?
Let’s take a look at the advert posted by the seller and dissect what we can.
eBay Passwords up for sale using Bitcoin
The seller is requesting 1.453 Bitcoins which at present rates is about $770. He requests that you send the money to his address along with the transaction ID to a hushmail account (which provides privacy and makes the e-mail rather hard to track). This seems like a relatively low price for ebay passwords, but then anyone buying the list would have to do rather a lot of password cracking to reveal the passwords. The seller e-mail and login ‘[email protected]’ appears to have been created for the purpose of this post as Pastebin shows us no other posts (or broader refences) directly linked to this login online. Of course, what is interesting here is that the attacker has created one address for everyone to pay and hasn’t used Bitcoin ‘properly’ if he wants to privately transact with lots of individuals. That means we can go to a site and look at the Blockchain (put another way the list of people who have paid this supposed seller!)