[Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users

Avery Sawaba avery.sawaba at gmail.com
Wed Sep 26 04:21:48 UTC 2007 

If this information is accurate, this is a BIG deal, as NOONE should
EVER be storing CVV2 information. Ebay would be in big trouble with
VISA, Mastercard, etc, as this is one of the most capital sins in
credit card handling practices. You only use security codes for
real-time verification. It should never be stored.

Apologies for all the CAPS, and I hope this is all faked data. Scary
to think a big name like Ebay would be foolish enough to save
CVV2/CVC2 codes.

--Sawaba

On 9/25/07, lyger <lyger at attrition.org> wrote:
>
> http://www.theregister.co.uk/2007/09/25/ebay_account_details_published/
>
> Hackers brazenly posted sensitive information including home addresses and
> phone numbers for 1,200 eBay users to an official online forum dedicated
> to fraud prevention on the auction site.
>
> The information - which also included user names and email, and possibly
> their credit card numbers and three-digit CVV2 numbers - was visible for
> more than an hour to anyone visiting the forum. The miscreants appeared to
> create a script that caused each user to log in and post information
> associated with the person who owned the account. The script spit out
> about 15 posts per minute, starting around 5:45 a.m. California time.
>
> An eBay spokeswoman said the posts were not the result of a security
> breach on eBay and that the credit card numbers contained in the posts
> were not those eBay or PayPal had on file for those users. eBay
> representatives have begun contacting all users whose information was
> posted to head off any further fraud and to learn more about the attack.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>

More information about the Dataloss mailing list