Cyber Incident Victim: GunAuction.com
Date:
Mar 2023
Location:
United States of America
Summary
A firearm auction platform suffered a data breach exposing over 550,000 users' sensitive information, including full names, home addresses, email addresses, plaintext passwords, and telephone numbers. The compromised data reportedly enables linking individuals to specific weapon transactions, potentially revealing sellers' identities and firearm locations. An unsecured server storing the stolen database was discovered by an anonymous security researcher, who found it accessible without authentication controls. The company's CEO confirmed the incident following FBI contact, acknowledging unauthorized access to personal customer data but asserting no evidence of financial information exposure. TechCrunch verified partial accuracy through victim outreach, though data recency remained unclear due to undeliverable communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The breach impacting GunAuction.com, a firearm auction platform operational since 1998, occurred prior to March 2023 when researchers and journalists confirmed the exposure of highly sensitive user data. Hackers stole records containing full names, home addresses, email addresses, plaintext passwords, and telephone numbers for over 550,000 individuals. Notably, the exfiltrated data enabled the direct linkage of individuals to specific firearm transactions on the platform by correlating auction records with the stolen personal identifiers. The compromised server storing the stolen data, discovered by an anonymous security researcher in late 2022, was found to lack basic access controls, allowing unrestricted retrieval. After analyzing the dataset, the researcher shared evidence with cybersecurity expert Troy Hunt for validation via Have I Been Pwned, confirming its connection to GunAuction.com. Independent verification by TechCrunch involved contacting 160 affected individuals via email and phone, resulting in 10 explicit confirmations of data accuracy, though 25 email bounces and disconnected phone numbers suggested portions of the data were outdated.
GunAuction.com CEO Manny DelaCruz acknowledged the breach following FBI notification, indicating investigations revealed exposure of names, addresses, and email addresses but no financial data. DelaCruz stated affected users would be informed shortly and advised vigilance regarding financial accounts and credit reports. The incident echoed prior vulnerabilities in gun-related data handling, exemplified by a 2022 California Department of Justice incident that similarly exposed gun owners’ personal details, permit types, and identification numbers. The breach’s confirmation timeline remains unspecified beyond the FBI’s initial outreach prior to the March 2, 2023 public reporting, with no disclosed details regarding intrusion methods, containment measures, or forensic conclusions from GunAuction.com beyond the CEO’s initial statement.