Jump to content
Maestronet Forums

Auction Site Hacked - how long before other sites?


l33tplaya

Recommended Posts

This site has a few violins every so often, but somehow - link from Maestronet? - got on their distro list.  Thought the following would be of interest.  Sadly, this is becoming the new normal.  When will companies learn to secure their databases? Note the price - just that of a not very good Juzek or dutzenware. 

"LiveAuctioneers disclosed a data breach after a well-known data breach broker began selling 3.4 million stolen user records on a hacker forum. BleepingComputer was told by the data broker that the database is being sold for $2,500. The breached data includes user's emails, usernames, MD5-hashed passwords, names, phone numbers, addresses, IP addresses, and social media handles. In addition to the data, the seller stated that three million of the accounts had their passwords decrypted, which were also included in the sale."

Link to comment
Share on other sites

29 minutes ago, l33tplaya said:

The link:  https://www.bleepingcomputer.com/news/security/liveauctioneers-reports-data-breach-after-user-records-sold-online/

The cause: "trusted" third party partner.  Of course.  Irresponsible. 

 

5 minutes ago, Shelbow said:

Yep shitty third parties as standard. I used to be in charge of Gdpr and data security for a year or so in a previous job. Had to deal with a few minor third party data breaches. My sister is a data security consultant. 

Third party partner.  Isn't that geek speak for "people that we sold your data to legally"?  :huh:

Link to comment
Share on other sites

Well sometimes it's people you paid to process things or do research for you.

They are not part of your company but you may have given them some access to your data in some way. 

They have no direct relationship with the users whose data they process but they have access for a whole multitude of reasons. 

A lot of breaches happen with these kind of providers. 

 

 

Link to comment
Share on other sites

2 hours ago, Violadamore said:

 

Third party partner.  Isn't that geek speak for "people that we sold your data to legally"?  :huh:

You are too funny. Or prescient. :D 

Seriously, it's usually 3rd party data processors, because the requirements to process securely are too onerous for smaller or even large companies, and no one wants to deal with it properly.  3rd parties are supposed to conform to regulatory standards as well as the hiring company standards. In my experience, over half do not, which is why some of us get paid to tell them what they are doing wrong.  

Now we have much stricter GDPR and CCPA (California does something right), as well as tough new standards in Maine, which is the first to require opt-in of consumer information sales, vs  California and Nevada, et al, which are opt out. https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html

Edited by l33tplaya
added link
Link to comment
Share on other sites

1 hour ago, Shelbow said:

Well sometimes it's people you paid to process things or do research for you.

They are not part of your company but you may have given them some access to your data in some way. 

They have no direct relationship with the users whose data they process but they have access for a whole multitude of reasons. 

A lot of breaches happen with these kind of providers. 

 

 

 

17 minutes ago, l33tplaya said:

You are too funny. Or prescient. :D 

Seriously, it's usually 3rd party data processors, because the requirements to process securely are too onerous for smaller or even large companies, and no one wants to deal with it properly.  3rd parties are supposed to conform to regulatory standards as well as the hiring company standards. In my experience, over half do not, which is why some of us get paid to tell them what they are doing wrong.  

Now we have much stricter GDPR and CCPA (California does something right), as well as tough new standards in Maine, which is the first to require opt-in of consumer information sales, vs  California and Nevada, et al, which are opt out. 

Yup.  I used to be in the business.  Thank you both for your responses.  I'd type something brilliantly sarcastic at this point to express my feelings about how a lot of that processing is currently done, but it would be neither wise nor productive.  :ph34r:

Link to comment
Share on other sites

I had a friend starting back in high school in the late ‘70’s, who wrote backdoors into every program he ever worked on and would periodically check to see if it was still viable. University, State Government, Payroll, Library services, security for a very large regional research museum. The FBI finally caught up with him and he went straight and became a consultant. He’s dead now but his legend lives on.

Link to comment
Share on other sites

I have no idea what you’re talking about. I have an account at LiveAuctioneers, so I am assuming they got my information, but if I change my password everything should be peachy right?

Actually I recall a couple of days ago I was forced to change my password and I did so. I don’t think I’ve ever bought anything on the site so they wouldn’t have my credit card information anyway.

Edited by PhilipKT
Link to comment
Share on other sites

1 hour ago, Bill Merkel said:

unless you used the same combo at your bank.  programs try the stolen user names and unencrypted passwords on every bank in the world looking for a hit

Yes, much easier to hack low level sites with poorer, or outdated security than to go straight for financial websites. Low level sites become a soft target and are the weak link in a chain.

Despite knowing it is foolish to do so, I think many still use the same passwords and ID across multiple platforms. Once the hackers have this, they can try it everywhere in seconds, and will get lucky sometimes.

Link to comment
Share on other sites

8 hours ago, Violadamore said:

 

Yup.  I used to be in the business.  Thank you both for your responses.  I'd type something brilliantly sarcastic at this point to express my feelings about how a lot of that processing is currently done, but it would be neither wise nor productive.  :ph34r:

Yes not processed securely at all in most cases sadly. 

I don't know about you but I'm glad that I have almost nothing to do with that kind of stuff anymore. 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...