Auctions platform LiveAuctioneers has revealed a data breach that likely impacted approximately 3.4 million of its users.
Founded in 2002, the art, antiques, jewelry, and collectibles online marketplace claims to be broadcasting thousands of live auctions each year, providing live bidding options for millions of items.
Over the weekend, the bidding forum revealed that unknown actors accessed a partner’s systems last month, and that user information was stolen before the leak was plugged.
“As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19, 2020,” the online marketplace notes.
Affected user information includes names, phone numbers, email and mailing addresses, and encrypted passwords. However, LiveAuctioneers notes, not all accounts had all of this information present.
“Our cybersecurity team has confirmed that complete credit card numbers were not accessed, and we have no reason to believe auction history was affected,” LiveAuctioneers says.
The bidding portal has prompted a platform-wide password reset operation, and all users will have to set a new password when first accessing their accounts. Both bidder and auctioneer accounts are impacted by the move.
Security researchers at CloudSEK say they’ve found on a surface web database marketplace a post advertising the information of roughly 3.4 million LiveAuctioneers users, likely pointing to the number of affected users.
“The poster is selling 3.4 million users’ data and 3 million cracked username password combinations. The seller has shared 15 user records and 24 email-password combinations to support their claims,” CloudSEK notes.
The advertised user records include usernames and encrypted passwords, email addresses, complete names, physical addresses, and IP addresses.
“Using public sources we were able to verify various fields such as mobile number, physical address and email address in the sample data. The sample has a mix of US and UK users’ data,” the researchers reveal.
Furthermore, the poster also claims to have cracked the encrypted passwords, and shared a sample to prove their claims.