Is there anything to suggest this is real? Classic scam would be to just sell a bunch of random data, people tried that when Mt Gox was compromised. People apparently provided "samples" on IRC with either random data or data from other leaks presented as being from the Bitcoin exchange.
Nothing. People make this mistake when doing legitimate things too. You're meant to make a new address for every single client. The response could be that they only send to unique TXID that haven't been used before, but you can always race it out by sending the email first.
See my post below - ebay states this when you reset your password: To protect the security and privacy of our customers, we’re asking all eBay users to reset their passwords on or after May 21, 2014. If you already reset your password and forgot it, please follow the reset process below. Learn more
Try with an ebay account and then revisit this decision.
Just because there is no evidence doesn't mean that it should be ignored. Lots of things don't yet have evidence but it is still worth letting people know so that they are ready to take the appropriate action when the time comes.
Let's face it. Lots of posts on HN are pure speculation but they don't get buried. In this case, leaving it up won't do any harm? If it's not real, then no problem. You may have convinced a few people that they should change their passwords though, but that is a good thing. If it is real, then people will already have changed their passwords. It is win win.
Personally, I'm getting really sick of the mods deciding what news is and isn't relevant and/or suitable for me.
No one is purporting to decide what's suitable for you personally. It's a question of what belongs on the HN front page. If the speculation were coming from a known source, this might be a harder call. But an anonymous pastebin that no one has any evidence for? That falls below any standard. So what you're really saying is that HN should have no editors at all, and that's not how HN has ever worked.
This was a good call. eBay has just officially denied that the user data is theirs [1], and there are claims online that the data was from a separate previous breach [2]. This is almost definitely a scam.
Why the ":s"? Are they supposed to offer it for free?
Jokes aside, this, hopefully followed by a (class-action?) lawsuit, is the only way that the companies will learn how to properly store user data. The engineers have been talking about "best practices" for a very long time, but it appears managers only understand the language of money.
Let's not attempt to justify profiting from stolen personal data. This isn't a glorious mission to save the world from poor security practices, this is somebody trying to make money selling people's personal information.
You're a brilliant hacker, you lurk on security and blackhat forums, you know exploits inside and out. One day, you decide to check the security of some big consumer websites, and you find a security hole. What do you do (choose your adventure style)?
* You're a white-hat honest hacker, and all you want is for the internet to be a safer place. You decide to report the vulnerability to the company. Unfortunately, after you sent the email to their engineering team, they told you that the security hole you found isn't critical and refuse to award you a bounty. The rest of the emails go unanswered. You try sending emails to some other departments, including customer support, sales, and legal. No response. 2 months after that, when you're taking a dump on the toilet, federal agents burst into your apartment, knock you down and arrest you without even giving you the chance to wipe your ass. You're charged with industrial espionage, breach of security, and conspiracy to defraud. It turns out that someone did read your emails, checked out the logs, found traces of you researching the security hole. Your defense that you were trying to help is summarily dismissed and you rot in jail.
* You think most people are too serious and need to relax. You decide to have some fun. You download tons of embarrassing data from the company website, write them an untraceable email demanding 1000 BTC and public disclosure of your skills. You're pretty sure they will refuse your request, which they soon do. You troll the company by disclosing that they were hacked, and decide to sell the security hole to the highest bidder. You also sell chinks of data to random hackers and credit card scammers. You retire to a tropical island, drink martini and surf all day.
Also, pentesting sites without their consent is a poor choice to begin with, which is closely linked to why the "I was just trying to help" defense works so poorly.
Deciding to "have some fun" by exposing people's private information and profiting from that "fun" are pretty terribly hobbies.
Ha! That's cute. The joke is that anyone can send any relevant transaction hash that they see straight by email. Obviously, if they were serious, they would offer a unique Bitcoin address to each prospective buyer.
I have an eBay account, but I haven't used it in years, and I doubt I remember the password.
How worried about this should I be? Are there plaintext passwords exposed, or do they just have a lot of properly salted hashes that aren't much use to an attacker?
Cost factor of 12000 seems solid to me (depends on the hardware they're running on but I'd say brute forcing your way through that would be pretty impossible)
A PBKDF2 cost factor/iteration count of 12000 and 32-byte output means each candidate passphrase costs 12002 SHA256 blocks.
I can buy a crappy bitcoin miner which will do 2GH/s for about USD19.
Let's say we're going to use the Gawker leak as our dictionary. That's ~200,000 candidate passwords.
For a given user, I can therefore find their password (if it exists in the Gawker set) in 12002 * 200000 = 2.4GH SHA256 applications. That will take 1.2 seconds.
So for all 125 million eBay users, that's about 4 years. This work is trivially parallelisable, so buying more or faster hardware is brutally effective.
Note: there is obviously, and hopefully, a non-negligible probability that a user's password isn't in that set. Brute force of (say) the whole 8 printable-ASCII character password space would take longer but would be guaranteed to find to find about 50% (from Adobe leak) of user's passwords.
It's more than I expected from eBay, I think because of the likes of LinkedIn and their user credential leak, I expected bad habits from larger companies.
Rainbow tables can't be used against the passwords, so each one will need to be computed individually to either find the result or a collision. That's likely why the seller is only asking for $1000.
This is actually about as good as it gets for password hashes, so kudos to eBay.
Since these are salted and require 12000 iterations, cracking individual passwords will be quite time consuming. The preferred method in this case, though, is to go after low hanging fruit.
The way one would do this is to try something like the 500 most common passwords against all entries in the table. This won't take very long (compared to trying to brute force a bunch of individual passwords), and will probably yield a ton of passwords.
I am not an expert by any means, but I believe pbkdf2 is a recommended key stretching function for a hashing method (which looks to be sha256). http://en.wikipedia.org/wiki/PBKDF2
I think cracking difficulty depends on how many "iterations" they use though.
This is probably to try to offset Moore's law, by keeping the hash cracking difficulty in line with technology progrss. But it's funny how this works. If you think about Moore's law, it's basically describing the number of transistors on an IC, those doubling every two years. But it doesn't address expansion in the ways we use our technology. If new machines come out which allow us to stack even more GPUs into a single machine, performance capacity per cracking host will rise even farther than double per year.
One person estimated an 8-GPU cracking machine two years ago at about 539 billion hashes per minute. At 128k hashes for one password, you could make about 70,182 attempts per second.
But here[1] is a five-machine cluster from a year and a half ago with 25 GPUs. Its speed? 63 billion per second against SHA1. This results in 492,187 attempts per second. Assuming SHA256 is about 50% slower, this would be around 246,093 per second.
Some password dictionaries contain millions of words. But if your password is '0Password', it'll probably be cracked in a couple of seconds on modern hardware.
it's going to be computationally difficult but not impossible to break an individual password, but breaking all of them is unlikely in our (solar system's) lifetime.
However, if you were targeting a specific user and they didn't use a particularly strong password, it's possible that you could brute force it.
properly salted hashs can still harm many peple. You could still run a brute force on the top 10k most common passwords and with ~150m averge computer users, you're going to get a few. And you have their email address. There's a good chance they're using the same password for email. Now you have their email.
With user-individual salts and assuming 100ms for a password trial, 100ms * 150e6 * 10e3 is approximately 4750 years, and while this can be done in parallel, it's not exactly a small amount of resources you'd have to devote to get these relatively simple passwords.
They did force a password reset on everyone trying to log in yesterday; even if they already reset their password when they first heard the news, effectively locking them out for the evening because their password reset system was understandably overwhelmed with requests. Thanks eBay!
eBay didn't say what kind of encryption they had, only that they were encrypted. Personally I'm more concerned about the personal information in the leaked data that wasn't protected at all! So sure, change your password, but it won't change the fact that someone got your name, email address, physical address, phone number, and date of birth.
sp332 to be honest here, I am pretty sure if you search your real life name on the internet you will definitely find somewhere that you can buy the information you just mentioned.
I am not trying to be mean here, I am just trying to let you know in case you didn't know.
Plus you already have your email publicly displayed here ... and i found some weird stuff about amateur ... xxx movies when i googled you T_T
It's not just the actor, it's a pretty common name. People mistype my email address into all kinds of things, judging by the random emails I get for pets in Texas and real estate in the UK etc.
I know what it does, I use it to categorize stuff I email to myself (+reading, +reference, etc.). I just don't see how it would help filtering against some who also knows what it does. Maybe they don't show up in the list because they stripped it out already.
It's a feature of gmail to provide unique addresses. It might protect your other accounts that use your base e-mail address from an automated attack vs. the compromised data. It doesn't matter much if the database goes public, though.
It doesn't cost you anything, and few things piss me off when I'm signing up for a service than when it won't let me use an RFC-valid email address because it has stupid validation in place.
I do this with almost every website as a way to segregate or block mail if needed. It's pretty eye opening to see what companies trade or sell your email addresses.
example+ebay@gmail.com and example@gmail.com point to the same GMail inbox; you can use the part after + sign to filter incoming mail. A quite useful feature, I must say.
I love that feature as well, but I must say that I'm thwarted by faulty email address verification logic at least 75% of the time and end up resorting to my no-frills address.
Just reset my password and was greeted by this message: To protect the security and privacy of our customers, we’re asking all eBay users to reset their passwords on or after May 21, 2014. If you already reset your password and forgot it, please follow the reset process below. Learn more
Slightly racist observation about the sample data:
there is surprisingly large amount of Asian-sounding and Middle-East-sounding names there. Not sure how the data was chosen, but I would expect more... white-sounding names.
that's not racist at all, just unobservant. It's not racism to think a name sounds Asian. How did we get so confused about terms like racism and feminism.
All personally identifiable data should be stored in a non usable form. You'd think people by now would know that eventually your data will leave your protection.
I believe that he's implying they would be hashed just like your password and used solely for verification with another system (like transaction authorization).
I don't think hashing an address is a very good way to store it, recovery might take a while.
Likely the poster means person information. Name, date of birth, address, back up email, phone number should be encrypted. Even just using the users password as a key would be better then clear text.
It wouldn't be difficult, but a bandage is better then leaving a gaping wound. Yes it would be better store a second salt and do a scrypt style password generation.
A quick google search shows
• http://pastebin.com/L7CYznfK
• http://pastebin.com/4YRgEwPb
that have the same message with different bitcoin addresses.