Researchers claim to have found evidence that cybercriminals are offering for sale a database containing the personal details of 3.4 million users of an online art and antiques auction website, as well as three million cracked passwords.
News of a security breach involving a database of LiveAuctioneers customers became public on Saturday, after the online auction site published a statement appearing to shift the blame onto an unnamed data processing partner. However, LiveAuctioneers did not give any indication of the scale of the breach.
Security researchers at CloudSEK say that the day before the announcement from LiveAuctioneers, someone offered for sale on an underground forum the details of 3.4 million users of the auction website, alongside three million cracked username/password combinations.
Selling LiveAuctioneers.com database. LiveAuctioneers is a live auctions marketplace.
Date: June 2020
Users: 3.4 million
Data: Email addresses, Username, Names, Phone numbers, Physical addresses, IP addresses, Social media profiles, Passwords
Cracked: 3 million Email : Password
According to CloudSEK, the seller also shared 15 user records and 24 email-password combinations to allow potential purchasers to verify that the breached data was indeed for sale.
I had previously asked LiveAuctioneers what they meant by “encrypted passwords” in their breach announcement. If they were indeed using MD5, which is widely considered to be next to useless, then it’s perhaps not a surprise that they haven’t answered me.
LiveAuctioneers users who may have had their personal information and passwords compromised in this security breach would be wise to not only ensure that they are not using the same password anywhere else on the internet, but also to be on the lookout for other attempted scams which may result from their personal information now being up for sale.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Millions of LiveAuctioneers passwords offered for sale following data breach”
I think it’s a shame that I wasn’t notified personally about this breach. Actually I’m more than vaguely upset. Considering I have never bid on anything or even looked on the site for over a year or two.
Actually kinda shady, if you ask me. If my information ends up hacked, believe me, I’m heading directly to you for resolution.