Following the recent data breach at eBay, a Sun on Sunday investigation suggests that login details are being sold online. The newspaper claims that user credentials are available for around £25 each.
If true, those login details could allow fraudulent traders to pose as long-standing sellers with exemplary feedback ratings which they could then use to dupe unsuspecting buyers into handing over cash for non-existent goods.
The newspaper reports that its investigation uncovered hackers willing to sell usernames and passwords for as little as £24.93 each. One even offered investigators an unlimited amount of eBay login credentials for the sum of £2,100.
The report does not indicated where the Sun on Sunday contacted the hackers but I would guess it would have been secure sites on the so-called dark web.
The investigation comes after eBay admitted that it had been breached and that whoever was behind the attack had made off with the credentials of many millions of users.
The breach itself may prove costly to eBay, given that it may now be subject to investigation by the Information Commissioner’s Office here in the UK, as well as data regulators in multiple other jurisdictions. Depending upon what they learn, there may be severe financial consequences for the company.
Furthermore, my own opinion is that the breach could cause a large amount of embarrassment to the company, especially in terms of how well it responded to the news.
I believe eBay acted too slowly after first discovering the breach and that its communication with customers leaves much to be desired. This, I believe, is most evident in terms of sending out emails to users, advising them of the breach and asking them to change their passwords. I received such an email five days after I had heard the news and I know others who only received the same communication this weekend. Others still haven’t heard anything from eBay at all yet.
Given the results of the Sun on Sunday investigation and, assuming the credentials for sale are actually genuine, I strongly advise anyone who hasn’t changed their eBay password yet to do so now, irrespective of whether they have received any communication from the company.