Blog Subscription via

August 25, 2020

Tuesday, August 25, 2020 - , No comments

3.4 million LiveAuctioneers users suffer at the hands of a data breach

On July 12 New York-based art, antiques, and collectibles online marketplace LiveAuctioneers gave their online auction users some bad news.  Their cybersecurity team confirmed, one month after the incident occured, that a recent cyber-attack on 19 June 2020 had allowed hackers to access data contained in the company's records.  That data included personal information from 3.4 million buyers and sellers including names, email addresses, mailing addresses, phone numbers, visit history, and users' encrypted passwords stored as unsalted MD5 hashes.  Thankfully sensitive credit card details were apparently not exposed to the data thieves this time around. 

While LiveAuctioneers disabled passwords on all its bidder accounts and advised users to follow the necessary steps to change any matching email/passwords on other sites, the time delay between the attack and the actual acknowledgment of the breach left many site users, on and offsite, at further risk for fraudulent transactions, identity theft and phishing via other platforms.  ARCA has learned of at least one purchaser, paying for an item purchased on LiveAuctioneers via Paypal, who inadvertently sent funds, later reimbursed via Paypal, to a third-party who was not the actual seller they assumed they were buying the item from.

The attack was apparently orchestrated by a hacker who offered the user data on a surface web hacker forum who apparently goes by the screen name Megadimarus and who listed his work title humbly as "God." Megadimarus is the same culprit responsible for the data breaches of dozens of other user data-rich websites and for those of you who want to delve further just google the pseudonym of this in-your-face-and-up-your-left-nostril attacker.

Yet, while it looks like LiveAuctioneers may have, like so many others, failed to adequately protect their user's data, the shocking truth is that oftentimes an individual's password in and of itself can be easily cracked even with salting if the salt is kept with the hashed password, as most systems do.  This is why, as a general rule people are prompted by more security-minded websites to not use weak passwords like ISolemnlySwearImUpToNoGood or FBISurveillanceVan or any combination of characters that comes straight from a dictionary and are more easily cracked.  It's also wise not to use the same passwords over and over again on multiple sites as breaches like these are far too common. 

In closing, I feel your pain.  Especially whenever I sign up for a new website with enhanced password protection protocols as my experience inevitably goes something like this:

WEBSITE: Please create your preferred password.
ME: klimt
WEBSITE: Sorry, your password must be more than 8 characters.
ME: gustav klimt
WEBSITE: Sorry, your password cannot have blank spaces.
ME: gustavklimt
WEBSITE: Sorry, your password must contain 1 numerical character.
ME: gustavklimtdiedin1918
WEBSITE: Sorry, your password must contain at least one uppercase character.
ME: gustavKLIMTdiedin1918
WEBSITE: Sorry, your password cannot use more than one uppercase character consecutively.
ME: GustavKlimtdiedin1918StupidContraryWebsite
WEBSITE: Sorry, your password must contain a special character
ME: GustavKlimtdiedin1918StupidContraryWebsiteGiveMeAccessNow$£%&!
WEBSITE: Sorry, that password is already in use.

By:  Lynda Albertson