A dedicated auction site that enables people around the world to bid in real-time on auctioned listings has now disclosed an extensive data hack.

LiveAuctioneers made the public announcement that it had been hit when it discovered a widely known broker in stolen data selling millions of user records online through a hackers’ forum that matched its own database

Treasure trove of personal data on sale

On July 10, the data broker began to sell-off a database comprising 3.4 million stolen user files, allegedly taken from LiveAuctioneers’ site during a breach. The total worth of the information up for sale is a mere $2,500, but the high volume of users impacted, as well as the confidential nature of the data, makes the incident serious in nature.

The information taken in the hack allegedly amounts to a huge hoard of Personally Identifiable Information (PII) including users’ names, addresses, phone numbers, email addresses, MD5 hashed passwords, usernames and IP addresses.

Along with the PII, the data breach broker has stated that three million seized user accounts had the private passwords linked to them decrypted, and this information was also part of the sale.

This kind of personal data provides a rich bounty for cybercriminals, as it may be used to damaging effect as part of a wider campaign involving credential stuffing or phishing attacks on other sites.

Intelligence experts at the cybersecurity company CloudSEK verified the user records up for sale and managed to confirm the authenticity by confirming the data against various users named within the database for sale.

In its recent report, the cybersecurity firm noted:

“Using public sources, we were able to verify various fields such as mobile number, physical address and email address in the sample data. The sample has a mix of US and UK users’ data.”

Disclosure of a data breach

In keeping with regulations, LiveAuctioneers reported its discovery of the incident on July 11, announcing that it had incurred a data breach in a security notification online.

According to the public post, the auction site’s data systems were compromised after one of its partners charged with processing user information was subject to a breach:

“As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorised third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19, 2020.”

The company have stressed to those involved that no credit card information was vulnerable during the hack and that it saw no evidence that any bidding history had been impacted by the attack.

When the information that surfaced in the hacker forum was matched against the data exposed in the attack, LiveAuctioneers became aware of the breach and took steps to limit ongoing damage.

The auction site disabled every password connected to a bidder account and is now requesting all users to reset their private passwords using the “Forgot password” option. Experts advise that all site users should keep a sharp eye out for phishing emails using their exposed PII.