Cyber Incident Victim: LiveAuctioneers

In June 2020, a database containing records of 3.4 million LiveAuctioneers users was compromised. The stolen data included email addresses, usernames, names, phone numbers, physical addresses, IP addresses, social media profiles, and passwords stored as MD5 hashes. Cybercriminals offered this database for sale on an underground forum on or around June 2020, advertising it as containing information from the live auctions marketplace. The seller claimed to have cracked three million password hashes, resulting in plaintext email-password combinations. To validate the authenticity of the breach data, the seller shared 15 user records and 24 email-password pairs with potential buyers. Security firm CloudSEK documented this sale listing on June 12, 2020, one day before LiveAuctioneers publicly acknowledged a security incident.

LiveAuctioneers issued a breach notification statement on June 13, 2020, attributing the incident to an unnamed third-party data processing partner. The company confirmed that encrypted passwords were exposed but did not disclose the number of affected users or specific technical details about the encryption method. Independent analysis suggested the use of MD5 hashing for password storage, an algorithm widely criticized for its vulnerability to cracking. The exposure of physical addresses, contact information, and cracked credentials created risks of credential-stuffing attacks, phishing campaigns, and identity theft targeting affected users. No information was provided regarding containment measures, forensic findings, or remediation steps beyond password resets and standard warnings about credential reuse. The company did not respond to media inquiries regarding their password security practices following the disclosure.