A user posted on a popular hacking forum on Sunday what he claimed was a cache of data stolen from car rental giant Europcar. The user claimed to have stolen the personal information of more than 48 million Europcar customers, and said they were “listening to offers” to sell the hacked data.
Except the data appears to be entirely composed, possibly generated using ChatGPT, according to Europcar.
Europcar spokesman Vincent Vivod told TechCrunch that the company investigated the alleged breach after its threat intelligence service alerted it to the forum ad.
“After carefully checking the data in the sample, we are confident that this advertisement is false,” Vivod said in an email, adding:
– The number of records is completely wrong and inconsistent with our records,
– Sample data may have been generated by ChatGPT (addresses do not exist, zip codes do not match, first and last name do not match email addresses, email addresses use very unusual TLDs),
– Most importantly, none of these email addresses exist in our customer database.
A hacking forum user told TechCrunch in an online chat that “the data is real,” without backing up that statement with any evidence.
In the forum post, the user claimed that the data included usernames, passwords, full names, home addresses, zip codes, dates of birth, passport numbers, and driver’s license numbers, among other data.
However, the sample of data posted online does not appear to be legitimate, not only according to Europcar, but also according to Troy Hunt, who runs the data breach notification service Have I Been Pwned, as well as a TechCrunch analysis of the data. .
“First, in terms of the legitimacy of the data, there are a bunch of things that don’t add up. The most obvious is that the email addresses and usernames don’t look like the corresponding people’s names. Hunt wrote on X (formerly Twitter).
Hunt also added that many of the alleged home addresses are fake and “don’t exist.”
The forum user did not respond when asked to explain Hunt’s remarks.
Meanwhile, Hunt also doubts that the data was created using ChatGPT.
“We’ve had fabricated breaches forever because people want airtime or to make a name for themselves or maybe a quick buck. Who knows, it doesn’t matter, because none of that makes it AI.
Europcar’s Vevaud did not immediately respond to questions about how the company determined that the data was generated using ChatGPT.
When TechCrunch asked ChatGPT to create a “dataset of fake stolen personal data,” the chatbot responded that it could not help “create or promote any illegal or unethical activities.”
While it is almost impossible to confidently confirm that fake data was created using ChatGPT or a similar text generation AI platform, it is possible that hackers will one day use these tools to create large datasets of fake data.