On Sunday, a user on a well-known hacking forum advertised what he claimed was a cache of stolen data from car rental giant Europcar. The user claimed to have stolen the personal details of more than 48 million Europcar customers and said they were “listening to offers” to sell the hacked data.
Other than that, the data appears to be completely fabricated — perhaps created with ChatGPT, according to Europcar.
Europcar spokesman Vincent Vevaud told TechCrunch that the company investigated the alleged breach after a threat intelligence service alerted it to the forum ad.
“After thoroughly checking the data contained in the sample, we are confident that this ad is false,” Vevaud said in an email, adding:
– The number of records is completely wrong and inconsistent with ours,
– Sample data likely generated by ChatGPT (addresses do not exist, postal codes do not match, first and last name do not match email addresses, email addresses use very unusual TLDs),
– And most importantly, none of these email addresses exist in our customer database.
The hacking forum user told TechCrunch in an online chat that “the data is real,” without backing that statement up with any evidence.
In the forum post, the user claimed the data includes usernames, passwords, full names, home addresses, postal codes, dates of birth, passport numbers and driver’s license numbers, among other data.
The sample data posted online, however, does not appear to be legitimate, not only according to Europcar, but also according to Troy Hunt, who runs the data breach notification service Have I Been Pwned, as well as a TechCrunch analysis of the data .
“First on the legality of the data, a lot of things don’t add up. Most obviously, the email addresses and usernames bear no resemblance to their corresponding human names.” Hunt wrote to X (formerly Twitter.)
Hunt also added that many of the alleged home addresses are fake and “simply don’t exist.”
The forum user did not respond when asked to explain Hunt’s remarks.
At the same time, Hunt is also skeptical that the data was created with ChatGPT.
“We’ve had manufactured breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck. Who knows, never mind, because none of that makes it ‘AI,’” Hunt wrote.
Europcar’s Vevaud did not immediately respond to questions about how the company determined the data was generated with ChatGPT.
When TechCrunch asked ChatGPT to create “a dataset of fake stolen personal data,” the chatbot responded that it could not help “create or promote any illegal or unethical activities.”
While it is nearly impossible to determine with certainty that fake data was created with ChatGPT or a similar text-generating AI platform, it is possible that one day hackers will use these tools to create large datasets of fake data.