By Greg Smith

NEW YORK CITY — Online auction platform LiveAuctioneers announced that a June 19 cyber attack against one of its IT suppliers compromised much of the user information stored on the site, with exception of complete payment cards.

The company wrote, “The data that has been exposed includes user account information like names, email addresses, mailing addresses, phone numbers, visit history and encrypted passwords.”

The company noted that those responsible were able to decrypt passwords after the breach, meaning that anyone that uses the same email and password information on other sites will be compromised on those accounts.

The information leak likely affected up to 3.4 million users. Digital security firm CloudSEK reported that they’ve found the information for sale on a surface web database marketplace. “The poster is selling 3.4 million users’ data and 3 million cracked username password combinations. The seller has shared 15 user records and 24 email-password combinations to support their claims,” the researchers said.

CloudSEK wrote that the information taken can be used to “orchestrate phishing campaigns, online and offline scams, and even identity theft… Usually our mobile numbers and email IDs are linked to banking, mobile wallet and other online accounts. Having these details makes it easier for threat actors to compromise the victims’ accounts.”

In response, LiveAuctioneers disabled all passwords created on the site before July 11 and required them to be changed immediately upon login. The company says they will be implementing stronger password requirements in the future for users, and will be implementing stronger password encryption on the back end of the site. They wrote that they will be partnering with cyber security experts to further secure their website and systems.