LiveAuctioneers, an online auction platform headquartered in the United States, has confirmed a security incident after a database containing 3.4 million user records was put up for sale on the dark web for $2,500.
“As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19,” the company said. “LiveAuctioneers was one of a number of their partners who have experienced a breach from an unauthorized party since this data processing partner’s security was compromised. Our cybersecurity team has ensured the unauthorized access has ceased.”
According to a data breach notification posted by the live auction marketplace, the affected information includes names, email and mailing addresses, phone numbers and encrypted passwords. However, the data broker selling LiveAuctioneers’ user data claimed that the database includes decrypted passwords and social media profiles.
The data breach memo also states that there is no evidence to suggest access to complete credit card data, and that no auction history was affected.
“Not all of this information may have been present on your account,” LiveAuctioneers said. “Additionally, our cybersecurity team has confirmed that complete credit card numbers were not accessed, and we have no reason to believe auction history was affected.”
On the same day, LiveAuctioneers disabled passwords on all bidder accounts, and advised users to follow the necessary steps to change their passwords. The company also emphasized that, although no auctioneer accounts were affected by the breach, a separate email containing personalized instructions for enhancing account security was sent on July 11.
LiveAuctioneers members can also follow additional security measures including:
• Changing the password to all of their online accounts that shared login credentials used for their LiveAuctioneers account.
• Review accounts for any suspicious activity
• Be wary of unsolicited email that could be seeking additional personal information, and never click on links or download attachments from unfamiliar or suspicious sources.