LiveAuctioneers security breach puts users at risk

“Encrypted passwords” and contact details fall into the hands of unauthorised party.

Graham Cluley @gcluley

LiveAuctioneers security breach puts user details at risk

LiveAuctioneers, the online website which broadcasts live auctions selling antiques, art, and collectibles, has warned that user details have fallen into unauthorised hands following a security breach.

In a statement posted on its website, LiveAuctioneers has confirmed that “an unauthorised third party” accessed user data at some point in the past two weeks.

According to the auction-streaming website, the security breach occurred at an unnamed data processing partner of LiveAuctioneers:

Our cybersecurity team has confirmed that an unauthorized third party accessed certain user data in the past two weeks through a security breach at a LiveAuctioneers data processing partner.

The data that has been accessed could include user account information like names, email addresses, mailing addresses, visit history, phone numbers, last four digits of credit cards, credit card expiration dates, and encrypted passwords. Not all of this information may have been present on your account. Please also know that complete credit card numbers were not accessed.

LiveAuctioneers claims to have blocked the unauthorised party’s access to the data, and disabled user passwords.

Email Sign up to our newsletterSign up to Graham Cluley’s newsletter - "GCHQ"
Security news, advice, and tips.

Users are encouraged to change their passwords on the website, but I would go further and recommend that if any LiveAuctioneers users have made the mistake of using that same (now breached) password anywhere else on the internet, they need to change that too.

Reusing passwords is never a good idea, as hackers will often take passwords stolen in one data breach to break into other accounts.

Frustratingly, LiveAuctioneers does not share any details of what it means by “encrypted passwords” – meaning that it is hard to calculate the likelihood of a malicious party being able to crack and abuse them.

Of course, passwords are not the only details which are potentially now in the hands of cybercriminals. Exposed data also included users’ email addresses, phone numbers, partial credit card details, and postal addresses – all of which could be exploited by a scammer in the form of, for instance, a phishing attack.

LiveAuctioneers says it takes the protection of member information “very seriously,” and is inviting users who have questions or see any suspicious account activity to contact its customer support team.

Update (12 July 2020):

Since this article was first published, LiveAuctioneers has updated its statement to clarify that it was just one of the third-party data processor’s clients to have its data exposed, and to offer the sensible advice for customers to also change their passwords if they were using the same ones elsewhere on the internet.

Further reading: Millions of LiveAuctioneers passwords offered for sale following data breach

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “LiveAuctioneers security breach puts users at risk”

  1. Those passwords couldn't have been that well encrypted if you're worried about their reuse on other sites. It implies that they robbers will be able to decrypt them.

    1. It looks like three million of LiveAuctioneers' breached user passwords have already been cracked.

      https://grahamcluley.com/liveauctioneers-passwords-for-sale/

      They were using MD5. :(

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.