LiveAuctioneers security breach puts users at risk

“Encrypted passwords” and contact details fall into the hands of unauthorised party.

LiveAuctioneers security breach puts user details at risk

LiveAuctioneers, the online website which broadcasts live auctions selling antiques, art, and collectibles, has warned that user details have fallen into unauthorised hands following a security breach.

In a statement posted on its website, LiveAuctioneers has confirmed that “an unauthorised third party” accessed user data at some point in the past two weeks.

According to the auction-streaming website, the security breach occurred at an unnamed data processing partner of LiveAuctioneers:

Our cybersecurity team has confirmed that an unauthorized third party accessed certain user data in the past two weeks through a security breach at a LiveAuctioneers data processing partner.

The data that has been accessed could include user account information like names, email addresses, mailing addresses, visit history, phone numbers, last four digits of credit cards, credit card expiration dates, and encrypted passwords. Not all of this information may have been present on your account. Please also know that complete credit card numbers were not accessed.

LiveAuctioneers claims to have blocked the unauthorised party’s access to the data, and disabled user passwords.

Sign up to our free newsletter.
Security news, advice, and tips.

Users are encouraged to change their passwords on the website, but I would go further and recommend that if any LiveAuctioneers users have made the mistake of using that same (now breached) password anywhere else on the internet, they need to change that too.

Reusing passwords is never a good idea, as hackers will often take passwords stolen in one data breach to break into other accounts.

Frustratingly, LiveAuctioneers does not share any details of what it means by “encrypted passwords” – meaning that it is hard to calculate the likelihood of a malicious party being able to crack and abuse them.

Of course, passwords are not the only details which are potentially now in the hands of cybercriminals. Exposed data also included users’ email addresses, phone numbers, partial credit card details, and postal addresses – all of which could be exploited by a scammer in the form of, for instance, a phishing attack.

LiveAuctioneers says it takes the protection of member information “very seriously,” and is inviting users who have questions or see any suspicious account activity to contact its customer support team.

Update (12 July 2020):

Since this article was first published, LiveAuctioneers has updated its statement to clarify that it was just one of the third-party data processor’s clients to have its data exposed, and to offer the sensible advice for customers to also change their passwords if they were using the same ones elsewhere on the internet.

Further reading: Millions of LiveAuctioneers passwords offered for sale following data breach

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “LiveAuctioneers security breach puts users at risk”

  1. Mark Jacobs

    Those passwords couldn't have been that well encrypted if you're worried about their reuse on other sites. It implies that they robbers will be able to decrypt them.

    1. Graham CluleyGraham Cluley · in reply to Mark Jacobs

      It looks like three million of LiveAuctioneers' breached user passwords have already been cracked.

      They were using MD5. :(

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.