“Encrypted passwords” and contact details fall into the hands of unauthorised party.

LiveAuctioneers, the online website which broadcasts live auctions selling antiques, art, and collectibles, has warned that user details have fallen into unauthorised hands following a security breach.

In a statement posted on its website, LiveAuctioneers has confirmed that “an unauthorised third party” accessed user data at some point in the past two weeks.

According to the auction-streaming website, the security breach occurred at an unnamed data processing partner of LiveAuctioneers:

Our cybersecurity team has confirmed that an unauthorized third party accessed certain user data in the past two weeks through a security breach at a LiveAuctioneers data processing partner.

The data that has been accessed could include user account information like names, email addresses, mailing addresses, visit history, phone numbers, last four digits of credit cards, credit card expiration dates, and encrypted passwords. Not all of this information may have been present on your account. Please also know that complete credit card numbers were not accessed.

LiveAuctioneers claims to have blocked the unauthorised party’s access to the data, and disabled user passwords.

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Users are encouraged to change their passwords on the website, but I would go further and recommend that if any LiveAuctioneers users have made the mistake of using that same (now breached) password anywhere else on the internet, they need to change that too.

Reusing passwords is never a good idea, as hackers will often take passwords stolen in one data breach to break into other accounts.

Frustratingly, LiveAuctioneers does not share any details of what it means by “encrypted passwords” – meaning that it is hard to calculate the likelihood of a malicious party being able to crack and abuse them.

Of course, passwords are not the only details which are potentially now in the hands of cybercriminals. Exposed data also included users’ email addresses, phone numbers, partial credit card details, and postal addresses – all of which could be exploited by a scammer in the form of, for instance, a phishing attack.

LiveAuctioneers says it takes the protection of member information “very seriously,” and is inviting users who have questions or see any suspicious account activity to contact its customer support team.

Update (12 July 2020):

Since this article was first published, LiveAuctioneers has updated its statement to clarify that it was just one of the third-party data processor’s clients to have its data exposed, and to offer the sensible advice for customers to also change their passwords if they were using the same ones elsewhere on the internet.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.