The Internet was aflutter with rumors Thursday that user data from the recent cyberattack on eBay was already up for sale -- and at a bargain basement price of 1.45 bitcoins, or roughly $750. The company was quick to say the sale was a hoax -- but that doesn't necessarily mean that that eBay user data isn't being shopped around somewhere on the Internet's underbelly.
On Wednesday, eBay asked its 145 million active customers to change their passwords as a "precautionary measure" after the company discovered it was breached earlier this spring, although it remains unclear how many users data was actually stolen. While the company says no financial information like credit card numbers was swiped, it does believe hackers accessed other personal information about users -- including names, dates of birth, e-mail addresses, physical addresses and encrypted passwords.
While eBay argues the breach was less serious than say, the Target breach that compromised tens of millions of credit card numbers last year, experts worry that the information could be used to perpetrate other types of fraud or impersonation.
"If you have my name, address, date of birth, telephone number … there's really no way to try to determine what the overall impact of that will be," said Raj Samani, the vice president and chief technical officer of McAfee EMEA.
Samani also said it's inevitable that the data is going to be put up for sale somewhere online: "The reality is that this data that was stolen is going to be sold."
And when whoever has the data manages to break the encryption securing the passwords they obtained, users who practice poor password hygiene -- like reusing passwords or using similar formulas to generate them across sites -- will be at even more risk. (Seriously, if you used the same password for eBay as anywhere else, change it. Now.)
But beyond changing your passwords, there's honestly not a lot users can actually do when these type of breaches surface.
"The irony is that consumers can take significant measures to protect themselves, but in many ways you are really at the mercy of those who protect your data," says Samani. Personal data released to online services is like a type of "digital tattoo," he says. Once you hand over data, it can be a sort of permanent record that you just have to trust companies will keep private.
The apparently fake eBay data that was supposedly up for sale is evidence of that. Trey Ford, global security strategist at cybersecurity firm Rapid7, obtained a modest sample of the data offered up for sale and believes it contained legitimate personal information -- just not from eBay. "In our initial analysis of the 12,663 credentials offered as a sample of the larger database, we found matches between email addresses and a popular Malaysian Web forum, which may point to the true source of these credentials," he says.