LiveAuctioneers reports data breach after user records sold online

LiveAuctioneers has disclosed a data breach after a well-known data breach broker began selling 3.4 million stolen user records on a hacker forum.

LiveAuctioneers is an auction site that allows people worldwide to bid on auctioned items in real-time.

On July 10th, 2020, a data breach broker began selling a database that allegedly contains 3.4 million user records stolen from the LiveAuctioneers' site.

BleepingComputer was told by the data broker that the database is being sold for $2,500.

This data allegedly contains user's email addresses, usernames, MD5 hashed passwords, names, phone numbers, addresses, IP addresses, and social media profiles.

In addition to the this data, the seller stated that 3 million of the accounts had their passwords decrypted, which were included in the sale.

This type of data is a treasure trove for threat actors as it can be used in targeted phishing attacks and credential stuffing attacks at other sites

The user records were later verified by cybersecurity intelligence firm CloudSEK who was able to confirm verify the data for various users listed in the sold database.

"Using public sources we were able to verify various fields such as mobile number, physical address and email address in the sample data. The sample has a mix of US and UK users’ data," CloudSEK stated in a report.

LiveAuctioneers discloses a data breach

On July 11th, a day after the database was listed for sale, LiveAuctioneers posted a security notification stating that they suffered a data breach.

Accord to the data breach notification, the site's data was compromised on June 19th, 2020, after a "LiveAuctioneers data processing partner" was breached.

"As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19, 2020.," the data breach notification stated.

They stress that credit card information was not accessed, and do not believe bidding history was affected.

The information exposed in this data breach matches the data being sold on the hacker forum.

After discovering the breach, LiveAuctioneers disabled the passwords for all bidder accounts and is requiring members to perform a password reset via the "Forgot password" link.

What should the affected customers do?

If you are a LiveAuctioneers user and are worried that this breach has exposed your data, you should take the following steps.

As your plain-text password may have been exposed, you should change your password on any site that uses the same credentials.

When changing your password, be sure to use a unique and strong password at every site that you visit. Doing this prevents a data breach at one site affecting your account at other sites.

You should also be on the lookout for phishing attacks targeting your LiveAuctioneer's member information and eBay accounts.

BleepingComputer has contacted LiveAuctioneers for more information but has not heard back as of yet.