LiveAuctioneers Revealed a Data Breach of Millions of Passwords, Email Addresses, and Phone Numbers
On Saturday, LiveAuctioneers, an online platform that lets users participate in real-life antique, art, and jewelry auctions, announced that some of its customers' personal data may have been compromised. The notification was quick to point out that the breach happened at a third-party data processing partner, and that LiveAuctioneers was just one of the many online services that were affected, but we can't imagine that this has done anything to brighten the mood of the people whose data got leaked.
Table of Contents
Hackers access LiveAuctioneers data after a third-party breach
The initial version of the data breach notification claimed that, among other things, the hackers may have had access to the last four digits of some of the users' credit cards. An update from July 12, however, removed that information. Instead, the amended notice stated that on June 19, hackers attacked LiveAuctioneers' data processing partner and gained access to users' names, email and mailing addresses, phone numbers, and "encrypted passwords."
Cybersecurity expert Graham Cluley was curious to find out what LiveAuctioneers meant by "encrypted passwords," and he also wanted to know how many people may have been affected, which is why he tried to get in touch with the company and ask for more information. Yesterday, he got his answers. Unfortunately, they came not from LiveAuctioneers, but from a hacking forum where cybercriminals buy and sell stolen data.
Hackers try to sell the compromised LiveAuctioneers data
Yesterday, researchers from CloudSEK announced that their risk monitoring platform had detected an advert for 3.4 million stolen LiveAuctioneers records on a clear web hacking forum. The post was dated July 10, a day before the platform announced the breach, and, just like LiveAuctioneers said, the records contained names, email and mailing addresses, and, in some cases, IPs. For about 3 million of the accounts, however, the seller also claimed to have the cracked passwords.
The advert said that the passwords were hashed with MD5, which, as Graham Cluley pointed out, is "next to useless" when it comes to protecting credentials, and the mere fact that the hacker managed to retrieve most of the login data in less than a month should be good enough proof of how woefully insecure the algorithm is.
It's fair to say that all passwords should be considered compromised now, but is this such a bad thing?
How bad are the consequences?
At first glance, you'd be forgiven for thinking that the breach isn't such a huge deal. LiveAuctioneers' cybersecurity team apparently knew that they weren't using the most secure password storage method, and when they learned about the breach, they immediately disabled all bidder accounts' most recent passwords. Like it or not, users affected by the attack will need to change their LiveAuctioneers passwords.
They must also make sure, however, that the compromised login details aren't used on any other websites or services. Otherwise, the hackers can easily take over their accounts with a simple credential stuffing attack. Unfortunately, for LiveAuctioneers users, this is just one of the problems.
Let's not forget that LiveAuctioneers is a platform that helps with the sale of art, antiques, jewelry, and other expensive goods. People who use it have a lot of money to spend and are therefore the perfect targets for sophisticated spearphishing attacks. The personal data is not offered for free, either, which means that whoever buys it will likely put in the effort to make a return on their investment. In other words, LiveAuctioneers users must be even more careful than usual.
