Cyber Incident Victim: BrickLink
Date:
Nov 2023
Location:
United States of America
Summary
Bricklink experienced a cybersecurity incident resulting in extended downtime, initially suspected as a hacking attempt. The platform temporarily shut down due to unusual activity, with investigations indicating unauthorized access to a small number of accounts potentially using externally obtained data. As a precaution, all user accounts were locked pending password resets upon relaunch. Reports from community forums mentioned ransom demands threatening store deletions, though official communications did not confirm this. The incident disrupted operations significantly, requiring thorough system assessments before restoration. No evidence suggested compromise of stored payment information, as transactions are processed through external gateways. The team worked continuously to resolve the issue and restore services while advising users on security practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 3, 2023, Bricklink, a prominent LEGO marketplace, experienced an extended outage lasting approximately five hours, significantly longer than its routine maintenance windows. Initial error messages indicated the platform was investigating "unusual activity," prompting speculation of a cybersecurity incident. User reports from Bricklink Seller Groups on Facebook and the Bricklink Subreddit described compromised seller accounts, including ransom demands threatening store and inventory deletion unless cryptocurrency payments were made. Bricklink administrators took the site offline as a containment measure to assess the breach’s scope, investigate unauthorized access, and mitigate damage. The company’s first official communication on November 4 confirmed an ongoing investigation but provided no specifics, emphasizing a focus on restoring operations swiftly. Subsequent updates on November 5 and 6 acknowledged the site’s closure was due to "unusual activity" and revealed preliminary findings suggesting a "very small percentage" of accounts might have been accessed by unauthorized actors using data obtained externally.
By November 7, Bricklink confirmed a limited number of accounts were potentially compromised and announced plans to contact affected users directly. As a precaution, the company locked all user accounts—impacted or not—pending a site-wide password reset upon reopening. The incident caused significant operational disruption, halting sales and transactions for sellers reliant on the platform. While Bricklink clarified that payment data was not stored on its servers (handled instead by third-party gateways), it advised users to adopt strong, unique passwords and security software. The prolonged downtime generated frustration within the community, though Bricklink acknowledged public support on social media as a morale boost for its response team. Restoration efforts remained ongoing as of the latest update, with no confirmed timeline for full service resumption.