[Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users

Arsen Shirokov 1and1 at canadaballoons.com
Wed Sep 26 12:39:47 UTC 2007 

The fact that the data was posted on eBay forum doesn't necessarily
mean it was stolen from eBay.  That's what eBay is saying according to
the message below.

Also, you never seen phish sites that ask for CVV/CVV2 ?  Surely
neither phishers nor those being phished care about PCI DSS :)

Arsen

On 9/26/07, Avery Sawaba <avery.sawaba at gmail.com> wrote:
> If this information is accurate, this is a BIG deal, as NOONE should
> EVER be storing CVV2 information. Ebay would be in big trouble with
> VISA, Mastercard, etc, as this is one of the most capital sins in
> credit card handling practices. You only use security codes for
> real-time verification. It should never be stored.
>
> Apologies for all the CAPS, and I hope this is all faked data. Scary
> to think a big name like Ebay would be foolish enough to save
> CVV2/CVC2 codes.
>
> --Sawaba
>
> On 9/25/07, lyger <lyger at attrition.org> wrote:
> >
> > http://www.theregister.co.uk/2007/09/25/ebay_account_details_published/
> >
> > Hackers brazenly posted sensitive information including home addresses and
> > phone numbers for 1,200 eBay users to an official online forum dedicated
> > to fraud prevention on the auction site.
> >
> > The information - which also included user names and email, and possibly
> > their credit card numbers and three-digit CVV2 numbers - was visible for
> > more than an hour to anyone visiting the forum. The miscreants appeared to
> > create a script that caused each user to log in and post information
> > associated with the person who owned the account. The script spit out
> > about 15 posts per minute, starting around 5:45 a.m. California time.
> >
> > An eBay spokeswoman said the posts were not the result of a security
> > breach on eBay and that the credit card numbers contained in the posts
> > were not those eBay or PayPal had on file for those users. eBay
> > representatives have begun contacting all users whose information was
> > posted to head off any further fraud and to learn more about the attack.
> >
> > [...]
> > _______________________________________________
> > Dataloss Mailing List (dataloss at attrition.org)
> > http://attrition.org/dataloss
> >
> > Tenable Network Security offers data leakage and compliance monitoring
> > solutions for large and small networks. Scan your network and monitor your
> > traffic to find the data needing protection before it leaks out!
> > http://www.tenablesecurity.com/products/compliance.shtml
> >
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>

More information about the Dataloss mailing list