In this short piece Lysa Myers, security researcher, ESET, the sample of a dump of data from the eBay breach on Pastebin is discussed.
Key take outs from the post include:
A spokesperson from eBay has stated that this sample does not match the data in their database, and this does seem to be backed up by details around the data as well. The users that are shown in the sample would represent an odd subset of users for an international company like eBay. And the price asked (1.45 Bitcoin) would seem to be astonishingly low for the data of 145 million users. Even if the sample is not in fact from the eBay breach, it could potentially be data could be from another company’s leak.
If you have not done so already, this is a good reminder to update your password on eBay to a strong, unique password. This should be something that you can easily remember but nobody else could easily guess. My colleague, David Harley, has written extensively on this topic. Unfortunately, eBay allows passwords as short as six characters. We suggest at least 8, preferably more.
While eBay requires some mix of upper, lower, number, and symbol, it is wise to choose something much longer, using a combination of uppercase and lowercase letters, numbers and special characters.
Because eBay owns PayPal, they frequently suggest users link their PayPal account to their eBay account. In the wake of the breach, if you have previously followed this suggestion, you may wish to revisit this idea and unlink those accounts. You can still pay with PayPal any time you want.
Linked accounts can provide criminals an easier way in to a wider variety of data, as they infer authentication across different services. More simply put: Any time you remove a step from the process of logging in as a user, you remove a step of security against attackers trying to gain access to your information.