A first look at the eBay user list for sale (unconfirmed whether its legitimate)

UPDATE: Most likely this list is not legitimate. Too many things don’t add up. I would have loved to see eBay following good security practices and certainly do hope that this is the case for the “real” eBay dump.

According to http://pastebin.com/vmvjGw3N, there exists a full ebay user database dump of 145,312,663 records.

In order to get the database, you need to send 1.4453 BTC (~ 755.27 USD as per coinbase). So far nobody has done this (https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7KbcdPfA)

The user provided a sample of 12,663 entries from the APAC region. We’ll look at these in this blog.

WARNING: We have no idea whether these users are really from ebay or whether this all is legitimate. Let’s just assume for a moment that it is.

The entries are like: <<NAME>> |pbkdf2_sha256$12000$<<SALT>>$<<VALUE>>|<<EMAIL>>|<<ADDRESS>>|<<PHONE>>|<<DOB>>

The good news is that the password uses PBKDF2 (Password-Based Key Derivation Function 2) with SHA256 as hashing function with a 64 bit salt. That is the standard recommented salt length.

It seems that eBay uses 12,000 iterations for this algorithm. When the standard was written in 2000, the recommended minimum number of iterations was 1000, so this is 12x of that which seems good.

Because of the salt, rainbow tables can’t really used against this, so each password need to be computed individually (the salt per password prevents rainbow tables to be used against all at once).

So overall if this turns out to be legitimate, I think one can honestly say that ebay followed good security practices.

The email, address , phone and date of birth are in there in plain text however.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>