Online Auctions Site “Completely Failed Its Customers”

“LiveAuctioneers, the online website which broadcasts live auctions selling antiques, art, and collectibles, has warned that user details have fallen into unauthorized hands following a security breach,” reported by Graham Cluley last week.

A notification on LiveAuctioneers website states, “As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19, 2020.”

The data exfiltrated seems to be:

  • Names
  • Email addresses
  • Mailing addresses
  • Phone numbers
  • Encrypted passwords

Graham noted that security researches reported that the day before the announcement of the breach from LiveAuctioneers, someone offered for sale on an underground forum the details of 3.4 million users of the auction website, alongside three million cracked username/password combinations.

An expert with Point3 Security offers perspective

Chloé Messdaghi, VP of Strategy for Point3 Security (,

This company has completely failed its customers. I went on the site and started an account with the simplest of passwords: password. And then, I was immediately asked to enter my credit card data. There was no 2FA, and no request for a longer and strong password with upper and lower cases, symbols or letters. Given the major amounts of monies involved in some of the art auctions on LiveAuctions, its customers should expect far better security. That in itself means they set themselves up to fail and set their customers up to fail too.

It’s a disappointing fact that a lot of consumer-facing companies and even banks still don’t require better passwords, such as more than 30+ characters, and don’t even have 2-factor authentication requirements. Moreover, you can download the LiveAuctions app, and then their website insecurity flows through to your device – who knows if malware could follow? And who knows whether, when LiveAuctions updates its website it also updates its app and vice versa?

LiveAuctions is auctioning things that are tens of thousands of dollars. Surely, they can invest in just a little to let consumers know their passwords are overly weak and push back to let them reevaluate.

When companies don’t invest in security, they’re forcing their customers to change their credit cards and also to reconsider their affiliation with the company.  It’s so important to invest in security – for customers and for the company’s own stability.

LiveAuctioneers as reset passwords for bidder and auctioneer accounts and they posted the following suggestions:

Gurucul CEO Commented

Saryu Nayyar, CEO at Gurucul

Account compromise attacks continue to net profits to cybercriminals. You should always use unique usernames and passwords for every application and system you touch. Hopefully, LiveAutioneer customers did not reuse their username/password combinations for any other systems or applications. When it comes to protecting corporate assets, the best way to identify account compromises or account takeovers is with behavior analytics. Cybercriminals can steal credentials but they cannot steal behavior. When behavior changes anomalously, then you know something is amiss and can proactively take remediation actions to stop a cyberattack in progress.

What LiveAuctioneers Users Can Do

  • Visit and click “Log In” on the top right-hand corner
  • Click “Forgot Password” on the login window
  • Enter your email address and click “Send Reset Instructions”
  • Check your email and follow the link provided to reset your password

If you’re already logged-in, click the dropdown from your user icon in the top right corner and click “Account Settings”. From here, click “Change Password”.

To help keep your information safe, we suggest the following security measures:

  • We recommend you change passwords for any other online accounts for which you used the same or similar password as used for your LiveAuctioneers account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications asking for your personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.