Expert Comments

Expert Reaction On Millions of LiveAuctioneers Passwords for Sale

Expert(s): Security Experts
Expert(s): Security Experts

Researchers at CloudSEK claim to have found evidence of the sale of a database containing 3.4 million users of online art and antique auction website.

 

 

Experts Comments

Dot Your Expert Comments
Chloé Messdaghi
July 14, 2020
VP of Strategy
Point3 Security

Given the major amounts of monies involved in some of the art auctions on LiveAuctions, its customers should expect far better security.
This company has completely failed its customers. I went on the site and started an account with the simplest of passwords: password. And then, I was immediately asked to enter my credit card data. There was no 2FA, and no request for a longer and strong password with upper and lower cases, symbols or letters. Given the major amounts of monies involved in some of the art auctions on LiveAuctions, its customers should expect far better security. That in itself means they set themselves up to.....Read More
This company has completely failed its customers. I went on the site and started an account with the simplest of passwords: password. And then, I was immediately asked to enter my credit card data. There was no 2FA, and no request for a longer and strong password with upper and lower cases, symbols or letters. Given the major amounts of monies involved in some of the art auctions on LiveAuctions, its customers should expect far better security. That in itself means they set themselves up to fail and set their customers up to fail too. It’s a disappointing fact that a lot of consumer-facing companies and even banks still don’t require better passwords, such as more than 30+ characters, and don’t even have 2-factor authentication requirements. Moreover, you can download the LiveAuctions app, and then their website insecurity flows through to your device – who knows if malware could follow? And who knows whether, when LiveAuctions updates its website it also updates its app, and vice versa? LiveAuctions is auctioning things that are tens of thousands of dollars. Surely, they can invest in just a little to let consumers know their passwords are overly weak and push back to let them reevaluate. When companies don’t invest in security, they’re forcing their customers to change their credit cards and also to reconsider their affiliation with the company. It’s so important to invest in security – for customers and for the company’s own stability.  Read Less
Chris Hauk
July 14, 2020
Consumer Privacy Champion
Pixel Privacy

I strongly urge Live Auctioneers customers to change the password for their account on the affected site.
It's a bit ironic that users of an auction site are now seeing their login credentials and personal details being auctioned off to the highest bidder. Data breaches such as this one should prove a fair warning to all online users to stay away from using the same login and password combination on multiple websites. It should also provide a warning to websites and services that persist in encrypting user information by using antiquated encryption methods. I feel like a broken record, but I.....Read More
It's a bit ironic that users of an auction site are now seeing their login credentials and personal details being auctioned off to the highest bidder. Data breaches such as this one should prove a fair warning to all online users to stay away from using the same login and password combination on multiple websites. It should also provide a warning to websites and services that persist in encrypting user information by using antiquated encryption methods. I feel like a broken record, but I strongly urge Live Auctioneers customers to change the password for their account on the affected site, and to double-check to confirm that login information isn't being reused on any other sites. And of course, keep an eye out for suspicious activity, be wary of links and attachments in emails, and take advantage of the free credit monitoring or other online security offering that should be offered by Live Auctioneers.  Read Less
Saryu Nayyar
July 14, 2020
CEO
Gurucul

When it comes to protecting corporate assets, the best way to identify account compromises or account takeovers is with behavior analytics.
Account compromise attacks continue to net profits to cybercriminals. You should always use unique usernames and passwords for every application and system you touch. Hopefully, LiveAutioneer customers did not reuse their username/password combinations for any other systems or applications. When it comes to protecting corporate assets, the best way to identify account compromises or account takeovers is with behavior analytics. Cybercriminals can steal credentials but they cannot steal.....Read More
Account compromise attacks continue to net profits to cybercriminals. You should always use unique usernames and passwords for every application and system you touch. Hopefully, LiveAutioneer customers did not reuse their username/password combinations for any other systems or applications. When it comes to protecting corporate assets, the best way to identify account compromises or account takeovers is with behavior analytics. Cybercriminals can steal credentials but they cannot steal behavior. When behavior changes anomalously, then you know something is amiss and can proactively take remediation actions to stop a cyberattack in progress.  Read Less
Paul Bischoff
July 14, 2020
Privacy Advocate
Comparitech

MD5 was proven vulnerable in 2010 and successful major attacks started emerging as early as 2012.
The use of MD5, an obsolete hash algorithm is a major oversight by LiveAuctioneers et al. MD5 was proven vulnerable in 2010 and successful major attacks started emerging as early as 2012, so there's really no reason to be using it a decade later. Despite that, MD5 is still widely used, including for password hashing. Organisations still using MD5 should immediately upgrade to SHA2 or better. LiveAuctioneers users should immediately change their passwords. That includes any other accounts that.....Read More
The use of MD5, an obsolete hash algorithm is a major oversight by LiveAuctioneers et al. MD5 was proven vulnerable in 2010 and successful major attacks started emerging as early as 2012, so there's really no reason to be using it a decade later. Despite that, MD5 is still widely used, including for password hashing. Organisations still using MD5 should immediately upgrade to SHA2 or better. LiveAuctioneers users should immediately change their passwords. That includes any other accounts that share the same password, as hackers will attempt to use the same username and password combination on other sites, apps, and services. Always use unique passwords for each account to avoid credential stuffing attacks.  Read Less
Laurence Pitt
July 14, 2020
Global Security Strategy Director
Juniper Networks

Laurence Pitt, Global Security Strategy Director at Juniper Networks
“While there is nothing to say that the stolen data came from a single breach, what this emphasizes is the need for people to regularly update passwords and use 2FA wherever possible. With tools like Microsoft Authenticator and 1-Password making this so easy, there’s really no excuse for old and recycled passwords today. The unfortunate reality is that hackers will steal whatever data they can lay their hands on and sell to the highest bidder. As the end user, this means we must take.....Read More
“While there is nothing to say that the stolen data came from a single breach, what this emphasizes is the need for people to regularly update passwords and use 2FA wherever possible. With tools like Microsoft Authenticator and 1-Password making this so easy, there’s really no excuse for old and recycled passwords today. The unfortunate reality is that hackers will steal whatever data they can lay their hands on and sell to the highest bidder. As the end user, this means we must take responsibility for ensuring that our personal accounts/data and profiles are well-protected with regularly updated and non-recycled passwords.”  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Qualys Hit With Ransomware And Customer Invoices Leaked

Experts Reaction On PrismHR Hit By Ransomware Attack

Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is Back And...

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...