Millions of LiveAuctioneers passwords offered for sale following data breach

Cracked passwords. Going going gone.

Millions of LiveAuctioneers passwords offered for sale following data breach

Researchers claim to have found evidence that cybercriminals are offering for sale a database containing the personal details of 3.4 million users of an online art and antiques auction website, as well as three million cracked passwords.

News of a security breach involving a database of LiveAuctioneers customers became public on Saturday, after the online auction site published a statement appearing to shift the blame onto an unnamed data processing partner. However, LiveAuctioneers did not give any indication of the scale of the breach.

Security researchers at CloudSEK say that the day before the announcement from LiveAuctioneers, someone offered for sale on an underground forum the details of 3.4 million users of the auction website, alongside three million cracked username/password combinations.

Breached LiveAuctioneers data for sale

Selling database. LiveAuctioneers is a live auctions marketplace.

Date: June 2020
Users: 3.4 million
Data: Email addresses, Username, Names, Phone numbers, Physical addresses, IP addresses, Social media profiles, Passwords
Passwords: MD5
Cracked: 3 million Email : Password

According to CloudSEK, the seller also shared 15 user records and 24 email-password combinations to allow potential purchasers to verify that the breached data was indeed for sale.

I had previously asked LiveAuctioneers what they meant by “encrypted passwords” in their breach announcement. If they were indeed using MD5, which is widely considered to be next to useless, then it’s perhaps not a surprise that they haven’t answered me.

Sign up to our free newsletter.
Security news, advice, and tips.

LiveAuctioneers users who may have had their personal information and passwords compromised in this security breach would be wise to not only ensure that they are not using the same password anywhere else on the internet, but also to be on the lookout for other attempted scams which may result from their personal information now being up for sale.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Millions of LiveAuctioneers passwords offered for sale following data breach”

  1. Laurie Aney

    I think it’s a shame that I wasn’t notified personally about this breach. Actually I’m more than vaguely upset. Considering I have never bid on anything or even looked on the site for over a year or two.
    Actually kinda shady, if you ask me. If my information ends up hacked, believe me, I’m heading directly to you for resolution.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.