On Sunday, a user in a well-known hacking forum advertised what they claimed was a cache of stolen data from the rental car giant Europcar. The user claimed to have stolen the personal information of more than 48 million Europcar customers, and said they were “listening to offers” to sell the hacked data.
Except, the data appears to be completely made up — perhaps created with ChatGPT, according to Europcar.
Europcar spokesperson Vincent Vevaud told TechCrunch that the company investigated the alleged breach after a threat intelligence service alerted it to the forum advertisement.
“Thoroughly checking the data contained in the sample, we are confident that this advertisement is false,” Vevaud said in an email, adding:
- The number of records is completely wrong & inconsistent with ours,
- The sample data is likely ChatGPT-generated (addresses don't exist, ZIP codes don't match, first name and last name don't match email addresses, email addresses use very unusual TLDs),
- And most importantly, none of these email addresses are present in our customer database.
The hacking forum user told TechCrunch in an online chat that “the data is real,” without supporting that statement with any evidence.
In the forum post, the user claimed the data included usernames, passwords, full names, home addresses, ZIP codes, birth dates, passport numbers and driver license numbers, among other data.
The sample of data posted online, however, does not appear to be legitimate, not only according to Europcar, but also according to Troy Hunt, who runs the data breach notification service Have I Been Pwned, as well as a TechCrunch analysis of the data.
“Firstly on the legitimacy of the data, a bunch of things don't add up. The most obvious one is that the email addresses and usernames bear no resemblance to the corresponding people names,” Hunt wrote on X (previously Twitter.)
Hunt also added that many of the alleged home addresses are fake and “just don’t exist.”
The forum user did not respond when asked to explain Hunt’s observations.
At the same time, Hunt is also skeptical that the data was created with ChatGPT.
“We've had fabricated breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck. Who knows, it doesn't matter, because none of that makes it ‘AI,’” Hunt wrote.
Europcar’s Vevaud did not immediately respond to questions on how the company determined the data was generated with ChatGPT.
When TechCrunch asked ChatGPT to create “a dataset of fake stolen personal data,” the chat bot responded that it could not assist “in creating or promoting any illegal or unethical activities.”
While it’s nearly impossible to confidently establish that the fake data was created with ChatGPT or a similar text-generating AI platform, it is feasible that one day hackers will use these tools to create large datasets of fake data.