- Details of 14 million accounts supposedly of eBay and Amazon users were sold to at least two users.
- The data includes full names and delivery addresses but no payment data or email addresses.
- The two e-commerce giants have not announced any major security incidents recently.
Someone is selling about 14 million user accounts supposedly belonging to the Amazon and eBay e-commerce platforms on a popular hacking forum. The affected users are from 18 different countries, while the coverage period ranges between 2014 and 2021.
The data includes full names, postal codes, delivery addresses, shop names, and phone records. The price tag for the full package was set to $800, and according to CyberNews investigators who followed the sale closely, two persons bought the offering, and then the author closed the sale.
Judging from the sample that was provided by the seller initially, the data pack appears to include valid data, but the sample only listed five entries, which is a very small percentage. As for how the hacker acquired the data in the first place, this remains unknown. It is even doubtful that this data really belongs to Amazon or eBay, or that it has derived from a security breach on them.
Neither Amazon nor eBay has announced any major security incidents this year, so this could be data from password spraying or the compromise of a third-party tool linked with the user accounts. That would explain why the number is only a subset of the entire userbase of the two giants.
The sold data didn’t include payment details or user credentials, and not even email addresses. This makes the leak less damaging but not completely harmless. Doxxing remains a possibility, as the actors now know what users bought, who they are, and where they live. It would be fairly easy for hackers to also find the email addresses of most of these people, or they could even use post mail to extort them.
That said, you can take some precautions like resetting your password and using a unique and strong passphrase now. If you receive any weird emails informing you about this very security incident, be very careful and do not follow any links embedded in the message body.