[BreachExchange] LiveAuctioneers reports data breach after user records sold online

Destry Winant destry at riskbasedsecurity.com
Tue Jul 14 10:06:44 EDT 2020


https://www.bleepingcomputer.com/news/security/liveauctioneers-reports-data-breach-after-user-records-sold-online/

LiveAuctioneers has disclosed a data breach after a well-known data
breach broker began selling 3.4 million stolen user records on a
hacker forum.

LiveAuctioneers is an auction site that allows people worldwide to bid
on auctioned items in real-time.

On July 10th, 2020, a data breach broker began selling a database that
allegedly contains 3.4 million user records stolen from the
LiveAuctioneers' site.

BleepingComputer was told by the data broker that the database is
being sold for $2,500.

This data allegedly contains user's email addresses, usernames, MD5
hashed passwords, names, phone numbers, addresses, IP addresses, and
social media profiles.

LiveAuctioneers database sold on a hacker forum

In addition to the this data, the seller stated that 3 million of the
accounts had their passwords decrypted, which were included in the
sale.

This type of data is a treasure trove for threat actors as it can be
used in targeted phishing attacks and credential stuffing attacks at
other sites

The user records were later verified by cybersecurity intelligence
firm CloudSEK who was able to confirm verify the data for various
users listed in the sold database.

"Using public sources we were able to verify various fields such as
mobile number, physical address and email address in the sample data.
The sample has a mix of US and UK users’ data," CloudSEK stated in a
report.

LiveAuctioneers discloses a data breach

On July 11th, a day after the database was listed for sale,
LiveAuctioneers posted a security notification stating that they
suffered a data breach.

Accord to the data breach notification, the site's data was
compromised on June 19th, 2020, after a "LiveAuctioneers data
processing partner" was breached.

"As of July 11th, 2020, our cybersecurity team has confirmed that an
unauthorized third party accessed certain user data through a security
breach at a LiveAuctioneers data processing partner that occurred on
June 19, 2020.," the data breach notification stated.

They stress that credit card information was not accessed, and do not
believe bidding history was affected.

The information exposed in this data breach matches the data being
sold on the hacker forum.

After discovering the breach, LiveAuctioneers disabled the passwords
for all bidder accounts and is requiring members to perform a password
reset via the "Forgot password" link.

What should the affected customers do?

If you are a LiveAuctioneers user and are worried that this breach has
exposed your data, you should take the following steps.

As your plain-text password may have been exposed, you should change
your password on any site that uses the same credentials.

When changing your password, be sure to use a unique and strong
password at every site that you visit. Doing this prevents a data
breach at one site affecting your account at other sites.

You should also be on the lookout for phishing attacks targeting your
LiveAuctioneer's member information and eBay accounts.

BleepingComputer has contacted LiveAuctioneers for more information
but has not heard back as of yet.


More information about the BreachExchange mailing list