Auctions platform LiveAuctioneers disclosed a a data breach that might have impacted approximately 3.4 million users.
LiveAuctioneers is one of the world’s largest art, antiques & collectibles online marketplace that was founded in 2002.
The company confirmed the security breach over the weekend, it revealed that unknown threat actors accessed a partner’s systems in June stealing user information.
“As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19, 2020.” reads the data breach notification published by the company.
“LiveAuctioneers was one of a number of their partners who have experienced a breach from an unauthorized party since this data processing partner’s security was compromised. Our cybersecurity team has ensured the unauthorized access has ceased.”
According to the company, attackers accessed personal details of the users, including names, email addresses, mailing addresses, phone numbers, and also encrypted passwords. Financial data, including credit card numbers, were not accessed by the hackers. The company confirmed that the an investigation into the hack is still ongoing.
In response to the incident, the bidding portal has forced a password reset for all users’ accounts, both bidder and auctioneer ones.
Unfortunately stolen data are already available for sale on the dark web, security researchers at CloudSEK reported.
The experts found a post advertising information of roughly 3.4 million LiveAuctioneers users.
“CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the information of 3.4 million LiveAuctioneers users.” reads the post published by CloudSEK.
“The post was published on 10 July 2020 at 07:25 PM, a day before the statement from LiveAuctioneers. The poster is selling 3.4 million users’ data and 3 million cracked username password combinations. The seller has shared 15 user records and 24 email-password combinations to support their claims.”
The seller claims to have usernames, encrypted passwords, email addresses, complete names, physical addresses, and IP addresses for the platform users.
Researchers verified the authenticity of the data included in a sample set composed of US and UK users’ records.
Experts warn that attackers can use the PII in the data dump to carry out phishing campaigns, online and offline scams, and even identity theft.
“Usually our mobile numbers and email IDs are linked to banking, mobile wallet, and other online accounts. Having these details makes it easier for threat actors to compromise the victims’ accounts.” conclude the experts.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, LiveAuctioneers)