Stolen eBay data up for sale – but is it really from eBay?

The UK website Telegraph reported today that they have discovered what may be the first attempt to sell identity information stolen from eBay sometime last February.

“Personal data in a format ‘consistent’ with the information stolen by hackers from eBay has been posted online in what is thought to be an underground advert hawking the details to identity thieves.

“Information about 715 individuals are listed in a document posted online and seen by the Telegraph including full names, postal and email addresses, phone numbers and dates of birth – the same details which eBay admitted that it had lost.

“Most of the addresses appear to be in Malaysia and other South East Asian countries. None of the revealed records are believed to belong to UK or European users, although 17 million of the total records belong to Britons.”

I’m a bit suspicious about this story for a number of reasons. First, why only 715? eBay reported that the cyber thieves who breached their security earlier this year made off with something like 145 million records so why not publish a 1,000 or 10,000 or a million?

Second, why only addresses for people in Malaysia and South East Asia? Wouldn’t names and addresses for presumably wealthier Americans and Europeans be more attractive bait?

Finally, the timing seems a bit too convenient. If the hackers had all those names and addresses for months why would they wait to leak just a handful of names the day after the eBay breach exploded across the news networks? Wouldn’t they have been trying to broker deals with other cyber criminals weeks if not months ago? And wouldn’t they try to make it a bit less obvious?

I think this is just a third-rate hacker (somewhere in Malaysia most likely) who cobbled together a quick list of people and organized the data so that it looked like the eBay data. I think it might be fake teaser data set out as bait in an attempt to scam the scammers. ‘See, we’ve got the data so let’s cut a deal for the rest of it.’

Or it could be a trap set up by some Malaysian cyber police force in an attempt to lure out those who would want to buy stolen identity records and they are just piggy-backing on the eBay story.

Web