Antiques marketplace blames breach on data processing partner
LiveAuctioneers, an online antiques marketplace, has revealed that it suffered a data breach that security researchers have claimed includes the personal data and cracked passwords of millions of users.
In a security alert published on Saturday (July 11), LiveAuctioneers said that “encrypted passwords” had been stolen along with names, email addresses, mailing addresses, and phone numbers.
The New York-based company “confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19”.
After learning of the incident, the auctioneer forced a password reset for bidder accounts, and blocked the unauthorized access.
Although the company said it had “no reason to believe auction history was affected”, passwords for auctioneer accounts were also reset as a precautionary measure.
In a blog post, cybersecurity firm CloudSEK said it had found a post on a cybercrime marketplace, dated 10 July, advertising the information of 3.4 million LiveAuctioneers users, as well as three million cracked username and password combinations.
“Using public sources, we were able to verify various fields such as mobile number, physical address, and email address in the sample data,” said the India-based security company.
CloudSEK said 24 email-password combinations furnished by the seller to verify the data dump’s authenticity included cracked, MD5-protected passwords.
LiveAuctioneers has yet to verify CloudSEK’s claims about the number of users impacted or the use of MD5 in response to The Daily Swig’s request for further details.
MD5 was developed in 1991 for use as a cryptographic hash function.
However, the aging algorithm has been dismissed as “cryptographically broken and unsuitable for further use” after myriad vulnerabilities emerged.
Nevertheless, a 2019 study by academics in Greece found that MD5 was still being widely used for securing and storing user passwords.
“MD5 is not ideal for password storage because it is easier to crack through brute-force attacks and dictionary attacks,” Deepanjli Paulraj, lead cyber intelligence editor at CloudSEK, told The Daily Swig.
“It is preferable to use modern hashing algorithms like Bcrypt which are more resistant to pre-computed hash attacks and brute-force attacks.”
CloudSEK also said some IP addresses were present in a sample containing the personally identifiable information (PII) of 15 US- and UK-based users.
LiveAuctioneers said that every data type was not necessarily present on the account of every user at the time of the breach.
Identity theft risk
Paulraj praised LiveAuctioneers for being “quick to disable the accounts”, but also pointed out that users often tend to use the same password for multiple accounts.
This, she said, opened up the potential for threat actors to launch credential stuffing attacks to compromise victims’ email, banking, or other online accounts.
LiveAuctioneers, which emailed personalized security instructions to users on July 11, has advised users to change their account passwords and identical or similar passwords used for other online accounts, and to be on guard for phishing emails.
CloudSEK also urged users to enable multi-factor authentication and not to share one-time passwords with third parties.
Founded in 2002, LiveAuctioneers has around 29 million items of art, antiques, jewellery, and collectibles up for auction.
Among the current notable offerings on the platform is an Enigma Machine used by Nazi Germany to encrypt sensitive communications during World War II.