About 14 million alleged eBay and Amazon accounts may have been sold on a popular hacking forum, CyberNews reported yesterday. Apparently, the unknown user that listed the data for sale at $800 has now closed the sale after two copies were reportedly sold.
Cybernews is unsure how the information was obtained and the publication has not been able to independently verify if the data sold was indeed eBay and Amazon accounts. The forum user that offered the data for sale claimed the accounts were from 2014 to 2021 and included the customer’s full name, postal code, delivery address, and shop name, as well as 1.6 million mobile phone records.
The data was divided into country groups and if valid, there are about 7.5 million US accounts, 3 million UK accounts (shown as GB and UK in the screenshot), and 1.1 million German accounts in the alleged list.
Cybernews reached out to Amazon regarding its story and a company representative confirmed “they investigated the claims and that there was no evidence of any data breaches.”
Neither eBay or Amazon have made any recent public claims of data breaches, so there are two possible scenarios how this information could have been obtained.
- The hacker(s) used a bruteforce attack on accounts known as “password spraying.” In this attack, the bad actor will use a small number of commonly used passwords on a large number of accounts to try to gain access to accounts.
- Another possibility is the hacker(s) used information from a data breach not related to either company such as the recent COMB leak. In this type of attack, the exposed data (often email/username and password) are used to access other popular services because many users often use the same email/username and password across multiple services.
Time to Do a Security Check-Up
While the alleged Amazon and eBay user data offered did not contain extremely sensitive information such as credit card numbers, other banking or payment data, social security or other government ID data, or even email addresses, this again should be a reminder that using simple passwords or the same passwords across multiple services is dangerous.
All modern browsers now contain a password manager that makes it easy to keep track of difficult to guess and unique passwords for every online service. ‘123456’ is still one of the most commonly used passwords, according to a recent NordPass report.
While the password managers in Chrome and Safari can securely share data with other trusted computers and mobile devices in the same ecosystem (Google’s Chrome/Android and Apple’s Safari/IOS), third-party password managers make it easy to securely share data among different operating systems and devices.
Most password managers offer a Freemium model where basic password features are free, while more advanced features, often sharing among different devices being one of them, have a small cost. In addition, paid tiers may include dark web monitoring and other security features to help keep passwords unique and secure.
How to Keep Account Details Secure
Here is a list of popular third-party password managers to check out:
Here are also some tips on how to keep your online accounts secure
- Never use the same password for different online accounts or apps.
- Use long difficult to guess passwords with no common names that include upper and lower case letters, numbers and symbols (if allowed). For example, something like this: Yget%3oe)34HjZ
- Add two-factor verification to accounts when offered. Most two-factor authentication methods include sending a code via SMS or through an app, which means the user must have access to your mobile device.
- Close old accounts and request deletion of all data if not done automatically.
- Some services allow you to check account activity. See their help sections if this is offered as this feature allows you to review if the activity on your account is valid.
- Act when you see emails from services and apps you use about account activities but do not click on any link in the emails, just in case they are phishing scams. For example, if you receive an email claiming someone logged into your account, go directly to the website or app and log-in and immediately change your password. Some services and apps also track “authorized” devices and remove all devices as authorized when this happens.
- Change your passwords every 90 days, but follow the advice of secure passwords so that no two passwords on the same service or app are similar.
- Disconnect third-party apps that you may have given access to a service if it is no longer needed.
Connect With Us And Other Small Business Owners
Please head over to our Facebook Group for Small Business Sellers and interact with other small business owners.