Millions of LiveAuctioneers passwords offered for sale following data breach

Cracked passwords. Going going gone.

Graham Cluley
@gcluley

Researchers claim to have found evidence that cybercriminals are offering for sale a database containing the personal details of 3.4 million users of an online art and antiques auction website, as well as three million cracked passwords.

News of a security breach involving a database of LiveAuctioneers customers became public on Saturday, after the online auction site published a statement appearing to shift the blame onto an unnamed data processing partner. However, LiveAuctioneers did not give any indication of the scale of the breach.

Security researchers at CloudSEK say that the day before the announcement from LiveAuctioneers, someone offered for sale on an underground forum the details of 3.4 million users of the auction website, alongside three million cracked username/password combinations.

Selling LiveAuctioneers.com database. LiveAuctioneers is a live auctions marketplace.

Date: June 2020
Users: 3.4 million
Data: Email addresses, Username, Names, Phone numbers, Physical addresses, IP addresses, Social media profiles, Passwords
Passwords: MD5
Cracked: 3 million Email : Password

According to CloudSEK, the seller also shared 15 user records and 24 email-password combinations to allow potential purchasers to verify that the breached data was indeed for sale.

I had previously asked LiveAuctioneers what they meant by “encrypted passwords” in their breach announcement. If they were indeed using MD5, which is widely considered to be next to useless, then it’s perhaps not a surprise that they haven’t answered me.

Sign up to our newsletter
Security news, advice, and tips.

LiveAuctioneers users who may have had their personal information and passwords compromised in this security breach would be wise to not only ensure that they are not using the same password anywhere else on the internet, but also to be on the lookout for other attempted scams which may result from their personal information now being up for sale.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “Millions of LiveAuctioneers passwords offered for sale following data breach”

  1. I think it’s a shame that I wasn’t notified personally about this breach. Actually I’m more than vaguely upset. Considering I have never bid on anything or even looked on the site for over a year or two.
    Actually kinda shady, if you ask me. If my information ends up hacked, believe me, I’m heading directly to you for resolution.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.