An unknown user was offering the data of 14 million Amazon and eBay customers’ accounts for sale on a popular hacking forum. The data appears to come from users who had Amazon or eBay accounts from 2014-2021 in 18 different countries.
The database was being sold for $800 and the accounts are divided into their respective countries. The leaked data includes the customer’s full name, postal code, delivery address, and shop name, as well 1.6 million phone records.
The post author has now closed the sale, after two copies were reportedly sold.
Use our personal data leak checker now to see if your email address has been exposed in previous leaks.
The post author provided five database entries as a sample of the leak:
At the moment, it is unclear how the post author acquired the data. CyberNews has not been able to independently verify nor confirm that the data definitely are from Amazon or eBay for the time period listed, 2014-2021.
An Amazon representative informed CyberNews that they investigated the claims and that there was no evidence of any data breaches.
This appears to be the most likely case, that neither Amazon nor eBay suffered any breaches on their end. Instead, the threat actor probably used a popular method of password spraying to acquire these credentials. Essentially, password spraying is a type of bruteforce attack by which an attacker tries to get into a large number of accounts by using a small number of commonly used passwords.
Should you be concerned?
Fortunately, the database does not seem to include very sensitive data, such as payment details, national ID numbers, or even email addresses.
However, the data currently put up for sale is still potentially sensitive, and it can be used for various purposes, such as doxxing users by revealing private information (such as sensitive products they don’t want anyone to know about) on a public form. Cybercriminals can also use the data for spam-list building or business intelligence purposes.
Whenever this happens – and leaked data occurs far more often than we’d like – it’s important for anyone who may be affected by this leak to:
- Check if their data has been leaked by using a service like CyberNews’ personal data leak checker, which currently has more than 15 billion records
- Change your passwords immediately. You should be using a unique password for each account you create. To help you with, use a trusted password manager that can create really strong passwords you don’t need to remember
- Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails