W3C SVG

eBay: 36 Sellers Spill 668K Customer Records

Publish date: Jul 17, 2025
Tags:

TL;DR:

In 2022, a cloud‑based CRM platform was compromised, exposing 668'440 eBay transaction records from 36 sellers and 282'378 buyers. The leak includes full names, usernames, email addresses, postal addresses, phone numbers, payment amounts, dates of purchase, and in some cases buyer messages. Why does it matter to me? My data is in this leak.

How I Became Aware Of This Leak:

While testing an OSINT tool, I queried my email address. The query returned my name, phone number, home address, and eBay username. I couldn’t care less about my email address or phone number being out there on the Internet but my home address is a whole different story. That’s why I had to look into this.

Tracing The Origins of The Leak:

No super advanced investigative techniques here. After some Googling I concluded that although the leak dates from 2022 most likely it was first published only in 2024 on a site called “BreachForums” by a user with the alias “Adka72424”. Unfortunately I don’t have screenshots of the original post because BreachForums was taken down by the FBI not long after I began my investigation.

Screenshot from the Google Search
Screenshot of Adka’s user profile from one of the forum posts
Screenshot of the takedown notice on the .onion version of BreachForums

The Actual Leaked Data:

I won’t go into details on how I did it, but I managed to get what appears to be the actual full leaked database.

The file is named “ebay.com_order_database.sql” (710'075'776 bytes, ~710MB), it contains 807'497 lines and it is an SQL dump from a cloud-based CRM system.

This database holds only eBay transaction data. There are fields related to AliExpress but they are empty. The transactions span from May 29, 2016, to March 20, 2018.

In total, it includes 666'440 transactions, 36 unique sellers, and 282'378 unique buyers, along with full names, usernames, email addresses, postal addresses, phone numbers, payment amounts, dates of purchase, and, in some cases, buyer messages.

The above chart shows each of the 36 sellers and the number of transactions exposed in the breach
The bar chart above ranks the top 25 countries by the number of eBay transactions exposed in the breach

Some buyer checkout messages: 🙈

hidden shipping extra roll please ship it as gifts

please ship discreetly, and do not include words like sex toy, Masturbator, G-spot, Anal, Vaginal, sexy etc.. I want it to be discreet okay. and thank you. writing as lower back or feet massager works fine.

Hi Please do not mention any words that indicate that the product is a sex toy because it is not allowed in my country

Please send the parcel discreet. Do not mention any sex toy or vibrator words. Just keep as gift. Thanks.

DO NOT Mention SEX TOYS on the package!! Thanks

Wrapping Up (extra roll, lol?)

36 sellers, over 668K exposed records, and plenty of awkward “please don’t write sex toy” notes to keep things interesting. You’re probably wondering what I was buying to end up in this leak 😄

Anyways, no data is ever 100% safe, the question is: who else might have a copy? Just because something isn’t public yet doesn’t mean it isn’t already out there.

eBay isn’t directly responsible for this breach, the sellers who exported the data are. One could argue that eBay should enforce stricter controls on data exports and third‑party integrations. I’ll probably reach out to see if eBay cares to comment, and if they do, I’ll post an update.