
eBay user data for sale? - troy1987
http://pastebin.com/vmvjGw3N
======
nwh
Is there anything to suggest this is real? Classic scam would be to just sell
a bunch of random data, people tried that when Mt Gox was compromised. People
apparently provided "samples" on IRC with either random data or data from
other leaks presented as being from the Bitcoin exchange.

A quick google search shows

• [http://pastebin.com/L7CYznfK](http://pastebin.com/L7CYznfK)

• [http://pastebin.com/4YRgEwPb](http://pastebin.com/4YRgEwPb)

that have the same message with different bitcoin addresses.

~~~
icebraining
And more here (from the list of public pastes):

[http://pastebin.com/YA2b6xCZ](http://pastebin.com/YA2b6xCZ)

[http://pastebin.com/u4feDLAQ](http://pastebin.com/u4feDLAQ)

[http://pastebin.com/NQWEnW2v](http://pastebin.com/NQWEnW2v)

------
hughes
Hacking as a spectator sport: we get to watch the blockchain for buyers![0]

[0]
[https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7Kb...](https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7KbcdPfA)

~~~
aqme28
Protocol question:

What's to stop me from emailing one of those txn-ids to KbcdPfA@hushmail.com
and stealing the dump?

~~~
nwh
Nothing. People make this mistake when doing legitimate things too. You're
meant to make a new address for every single client. The response could be
that they only send to unique TXID that haven't been used before, but you can
always race it out by sending the email first.

------
dang
There is no evidence yet that this is real, so we're burying the post.

~~~
daveove
See my post below - ebay states this when you reset your password: To protect
the security and privacy of our customers, we’re asking all eBay users to
reset their passwords on or after May 21, 2014. If you already reset your
password and forgot it, please follow the reset process below. Learn more

Try with an ebay account and then revisit this decision.

~~~
akerl_
Nobody is debating that a breach occurred. But there's no evidence that this
paste is from someone who actually holds the stolen data.

------
tomp
Why the ":s"? Are they supposed to offer it for free?

Jokes aside, this, hopefully followed by a (class-action?) lawsuit, is the
only way that the companies will learn how to properly store user data. The
engineers have been talking about "best practices" for a very long time, but
it appears managers only understand the language of money.

~~~
akerl_
Let's not attempt to justify profiting from stolen personal data. This isn't a
glorious mission to save the world from poor security practices, this is
somebody trying to make money selling people's personal information.

~~~
tomp
You're a brilliant hacker, you lurk on security and blackhat forums, you know
exploits inside and out. One day, you decide to check the security of some big
consumer websites, and you find a security hole. What do you do (choose your
adventure style)?

* You're a white-hat honest hacker, and all you want is for the internet to be a safer place. You decide to report the vulnerability to the company. Unfortunately, after you sent the email to their engineering team, they told you that the security hole you found isn't critical and refuse to award you a bounty. The rest of the emails go unanswered. You try sending emails to some other departments, including customer support, sales, and legal. No response. 2 months after that, when you're taking a dump on the toilet, federal agents burst into your apartment, knock you down and arrest you without even giving you the chance to wipe your ass. You're charged with industrial espionage, breach of security, and conspiracy to defraud. It turns out that someone _did_ read your emails, checked out the logs, found traces of you researching the security hole. Your defense that you were trying to help is summarily dismissed and you rot in jail.

* You think most people are too serious and need to relax. You decide to have some fun. You download tons of embarrassing data from the company website, write them an untraceable email demanding 1000 BTC and public disclosure of your skills. You're pretty sure they will refuse your request, which they soon do. You troll the company by disclosing that they were hacked, and decide to sell the security hole to the highest bidder. You also sell chinks of data to random hackers and credit card scammers. You retire to a tropical island, drink martini and surf all day.

~~~
olegbl
If choice 1 is to supposedly be good and suffer and choice 2 is to be an
asshole - there's always choice 3: walk away.

------
kanzure
Ha! That's cute. The joke is that anyone can send any relevant transaction
hash that they see straight by email. Obviously, if they were serious, they
would offer a unique Bitcoin address to each prospective buyer.

~~~
aortenzi
Wouldn't be hard for him to follow up with "to prove it was you, sign X with
the sending private key" if there are multiple claims.

------
ForHackernews
I have an eBay account, but I haven't used it in years, and I doubt I remember
the password.

How worried about this should I be? Are there plaintext passwords exposed, or
do they just have a lot of properly salted hashes that aren't much use to an
attacker?

~~~
Mithaldu
The passwords look like this:

    
    
        pbkdf2_sha256$12000$zhMKabMgayvK$iniviUCcX9y2PYJcm0AoB3MhybRA1z2Cec1DZnLWxWc=
    

I do not know how much time it would take to bruteforce these. Can any
experienced HNers weigh in?

~~~
thefreeman
I am not an expert by any means, but I believe pbkdf2 is a recommended key
stretching function for a hashing method (which looks to be sha256).
[http://en.wikipedia.org/wiki/PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)

I think cracking difficulty depends on how many "iterations" they use though.

~~~
bfish510
The iterations are listed as 12000. This value is supposed to double every two
years and is around 128k I believe currently.

~~~
peterwwillis
This is probably to try to offset Moore's law, by keeping the hash cracking
difficulty in line with technology progrss. But it's funny how this works. If
you think about Moore's law, it's basically describing the number of
transistors on an IC, those doubling every two years. But it doesn't address
expansion in the ways we use our technology. If new machines come out which
allow us to stack even more GPUs into a single machine, performance capacity
per cracking host will rise even farther than double per year.

One person estimated an 8-GPU cracking machine two years ago at about 539
billion hashes per minute. At 128k hashes for one password, you could make
about 70,182 attempts per second.

But here[1] is a five-machine cluster from a year and a half ago with 25 GPUs.
Its speed? 63 billion _per second_ against SHA1. This results in 492,187
attempts per second. Assuming SHA256 is about 50% slower, this would be around
246,093 per second.

Some password dictionaries contain millions of words. But if your password is
'0Password', it'll probably be cracked in a couple of seconds on modern
hardware.

[1] [http://arstechnica.com/security/2012/12/25-gpu-cluster-
crack...](http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-
standard-windows-password-in-6-hours/)

------
CompuHacker
None of the sample e-mail addresses contains "ebay", as in
"example+ebay@gmail.com". I just thought that was interesting.

~~~
jasonkostempski
Does eBay even allow you to enter that? What benefit would that provide?

~~~
TeMPOraL
example+ebay@gmail.com and example@gmail.com point to the same GMail inbox;
you can use the part after + sign to filter incoming mail. A quite useful
feature, I must say.

~~~
ptk
I love that feature as well, but I must say that I'm thwarted by faulty email
address verification logic at least 75% of the time and end up resorting to my
no-frills address.

------
JonnieCache
Now _that_ is a nice route to some fast cash. (I'm assuming that no CSV file
will actually be forthcoming.)

Kudos to to whoever moved quickly on this one. A fool and his money...

------
sogen
Hey, you can buy it cheaper!

0.5 BTC here

[http://pastebin.com/Tfs07HDp](http://pastebin.com/Tfs07HDp)

~~~
pdx
[https://blockchain.info/address/1Kfxm6Y5bRDnC9JLwq6vpYYcw439...](https://blockchain.info/address/1Kfxm6Y5bRDnC9JLwq6vpYYcw439zgvVzB)

------
ssw1n
It would be hilarious if the seller accept bids for that on eBay ....

------
twistedpair
Worth more than $1000, wouldn't you think? Or perhaps Ebay will buy it
regardless of the price, in hopes of quashing this?

~~~
icebraining
Nobody said s/he would only sell it once. It's $1000 _per copy_. Assuming it's
true, of course.

------
daveove
Just reset my password and was greeted by this message: To protect the
security and privacy of our customers, we’re asking all eBay users to reset
their passwords on or after May 21, 2014. If you already reset your password
and forgot it, please follow the reset process below. Learn more

------
numberwhun
Even if it is real, the losers haven't been paid anything:
[https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7Kb...](https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7KbcdPfA)

------
davidw
1.453 bitcoin. Reference to the fall of Constantinople, or patternicity at
work?

~~~
RaSoJo
Great catch there.
[http://en.wikipedia.org/wiki/1453](http://en.wikipedia.org/wiki/1453)

"It is sometimes cited as the notional end of the Middle Ages by
historians..."

------
Eye_of_Mordor
Why didn't they sell it on eBay?

~~~
nofinator
EXCELLENT SELLER!!1 FAST SHIPPING! WOULD BUY FROM HACKER AGAIN!!1
A++++++++++++!

------
runn1ng
Slightly racist observation about the sample data:

there is surprisingly large amount of Asian-sounding and Middle-East-sounding
names there. Not sure how the data was chosen, but I would expect more...
white-sounding names.

~~~
kapkapkap
It says sample "from apac region" right in the pastebin.

~~~
runn1ng
Oh. I missed that. That makes sense then.

~~~
Gigablah
More specifically, all the sample data is from Malaysia. So you'll get mostly
Chinese, Malay and Indian names.

(I'm Malaysian).

~~~
runn1ng
Thanks!

(by the way, I want to visit Singapore in the summer once I have my finals
done. But that's beside the point.)

------
rcthompson
So, should I also change my security question?

~~~
bkurtz13
I'm really getting tired of having to change my cat's name.

~~~
twistedpair
Poor kitty. You should just give it a wildcard name.

~~~
ForHackernews
Here, Mr. (Fuzz|Purr|Meow)[aeo](les|ly|ey)!

------
coldcode
All personally identifiable data should be stored in a non usable form. You'd
think people by now would know that eventually your data will leave your
protection.

~~~
bsaul
But then, why store them ?

~~~
TkTech
I believe that he's implying they would be hashed just like your password and
used solely for verification with another system (like transaction
authorization).

~~~
valarauca1
I don't think hashing an address is a very good way to store it, recovery
might take a while.

Likely the poster means person information. Name, date of birth, address, back
up email, phone number should be encrypted. Even just using the users password
as a key would be better then clear text.

~~~
rplnt
Wouldn't it be easier to "guess" the passwords then? If you know both input
and output.

~~~
valarauca1
It wouldn't be difficult, but a bandage is better then leaving a gaping wound.
Yes it would be better store a second salt and do a scrypt style password
generation.

------
mpg33
$750 for a copy...seems reasonably

------
platz
Why is this on the HN front page?

------
kerridge0
quick somebody automatically send thousands of "spam" claim emails whenever a
payment is made!

------
scottydelta
Haha, smartasses :D

~~~
hamidr
:D

------
praeivis
They should start auction on e-bay. ijs.

