|
Security Breech from Bill Goodwin- UPDATE IN POST #77
I received an email this morning from Bill Goodwin’s new venture. In the email he includes a username and password. He uses the password from his old auction house, which he sold to Beckett’s 5-6 years ago.
First, the password info is supposed to protected and not available to the auction house. Second, in this day and age, no one should be posting that info in an unencrypted fashion, in an email. I’d like to know whether the source of this breach was Beckett’s, or Bob Freedman. It’s certainly possible that Beckett’s sold the customer list to Bill. (I prefer thinking that they sold it, as the alternative is that Bill stole it.), but theoretically, that list should not include passwords. I have emailed my concerns to Beckett’s, Bill Goodwin, and Bob Freedman. None have replied. To me, this is a HUGE concern. Remember, we have been told in the past that generally speaking, auction houses are not able to see your max bids. However, if the house has access to the password, they can now simply log on and look. |
I received the same email. Very troubling.
|
Quote:
|
I just looked at the same email too!
I actually just looked at his auction listings. I am in the same boat as to why the 'private password/username' was there. |
Me too
I also received this email. My username and password was unprotected in the body of the email. When I used this info to log into Heartland, Google told me that there was a data breech and that I should change my password immediately, which I did. I wanted to log into my account to see if my credit card info was listed. Thank heaven it was not transferred to Heartland Auctions from the old site.
Rick |
^^^interesting???
I am gonna try and log-in and see if this happens, and if so change mine. BTW- i also sent a message thru the site's contact page about this matter. |
They shouldn't even have access to my password in the first place, let alone sending that in an email. Very concerning.
|
I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.
Password managers are a good thing... KeePass, 1Password, etc. |
Changing your password is a futile exercise if the software company makes it available to the auction house.
At that point, it’s no longer “secure.” |
Quote:
|
Quote:
|
he must be upset that disney is closed?
|
Quote:
|
Sorry, yes, I agree... Changing the passwords don't help, but if an entity has access to your password, at least they have access to only that one account and trying your email/password on multiple sites won't give them access to other things.
My comment was meant to be a tangent to the original post. Agreed that entities should not have access to passwords, whether it be auction house or other... And they should not be emailed in plain text, visible to any admins under any circumstances, etc. Just trying to be helpful. Will bow out of this conversation now. |
There is no breach.
Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot. In my opinion Bill sent this out in a shameless effort to bring awareness to his auction, not understanding the severity of sending out passwords unencrypted to an email. Based on his this happened, Bob ported over Goodwin's old info to a new website or Bill kept one for his records. I am sure Beckett would love to hear about this. |
Assume the non-compete is over
|
Quote:
I’ve spoken to two other auction houses who use SimpleAuctionSite.com. They both told me they do not have access to passwords. If you forget a password and ask them to help, all they can do is give you a “Reset Password” link. Now, it’s possible that this is one of those options that Bob can turn on or off for each auction house. (Like he has admitted he can do with the visibility of max bids.) If so, the first breach is theirs, by giving/selling that info to Goodwin. The second breach is Bill’s by publishing it in unencrypted fashion in an email. |
[QUOTE=Sean1125;1963574]There is no breach.
Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot. This is false.... I can not see any ones password on my admin page for Simple Auctions. I can not even see how many characters there are to even begin to assist anyone in remembering their password. I can only send a password reset. |
There was a time when the least secure thing you could do was write your password down and put it beside your computer. Now it's probably the safest place for your password to be.
|
Quote:
|
I Also..
..got the same email this AM. It looked so "Fishy" that I did not even open it...straight to delete. I am thankful to the OP and the other respondents that put me informed on this. I always had good phone contacts with Bill Goodwin on items in his past auctions. Always the low $ stuff but he was very helpful. But this is inexcusable and in this competitive market I do not need reckless and careless houses putting me at risk. Both parties are off of my list of places to do business with. Once again the Net54 community was vigilant and helpful in keeping us informed. Thank you...
Sincerely, Dennis O'Brien ( Name as per the rules on these matters...I think) |
An unencrypted password is not a password; it is basically useless from a data integrity perspective.
|
Piss poor form by Goodwin. The subject line “your username and password” almost makes it comical, it’s that stupid.
|
When I saw an email address "bill@___," I thought, shoot, what I am getting a bill for?
|
Email
does anyone have a screenshot of the email. May be a spoof attempt to compromise the recipient, and not necessarily a data leak from goodwin... i’d be very careful in investigating the situation prior to ruling it a breach.
David linardy |
Screen shot
Quote:
Username and Password Inbox x bill@go-heartland.com 8:15 AM (8 hours ago) to me Welcome to Bill Goodwin's Heartland Sports Auctions Our first auction starts tomorrow, Saturday March 21 and ends Thursday April 9. Here are your credentials to log in to your account along with a link for the Go-Heartland site. Username: deleted Password: deleted Link: https://go-heartland.com/ Feel free to update any information such as your address, or update your username and/or password if you would like. Thank you, Bill Goodwin Heartland Auctions 314-849-9798 Go-Heartland.com |
Quote:
Now I follow. |
User name and Passowrd
I use Simple Auction Site for my auctions. I can see all of my customers User id's and passwords. If they were to call and ask for their password I can give it to them. It also has the ability to send a reset password email which is much safer. Thanks, Jeff W (National Card Investors)
|
Odd.... then it must be an option for the administrator. I certainly can't see that.
|
It's a big problem for an auction to have access to user passwords. It really is carte blanche to do whatever they want. Not saying that any particular company would do something unethical, but the opportunity should not be there.
|
I don't know whether to be insulted or grateful that I didn't get an email from Bill.
|
Quote:
|
Quote:
It is completely unacceptable for the SimpleAuctionSite and Barnebys.com (their parent company) to allow passwords to be stored in clear text and to allow auction site owners to optionally see them. It's not an oversight or "not a big deal". This is a complicit, lazy, unacceptable breach of data security. The list of sports auctions sites using their software is long. You can easily check this by looking at the footer of any page on a site. If it shows the SimplyAuctionSite logo, you can assume that your username and password are NOT private. If the excuse is "it wasn't malicious", then the answer is that it's incompetence. They can choose. Bob Freedman and SimplyAuctionSite, get this fixed tomorrow. |
Is it possible it was a simple mistake by Bill or his administrator?
I got the email and was stupid enough to think "cool, my login hasn't changed" as I am a regular Goodwin participant. After reading this thread, I can see how foolish I was. I'd like to think Bill is a solid dude. Maybe it was an honest mistake--albeit a rather large one? |
This would definitely be good information for the FBI (as it pertains to possible likelihood of shilling) and the Cyber Security feds to have. Shouldn't everyone involved in this be notified and given the option for oversight of their online accounts from the various credit tracking agencies?
I would recommend that you who have been notified by email forward it to the proper authorities. |
We use createauction.com, the same platform used by REA, Memory Lane, Lelands and others. We can't see user passwords or autobids.
|
Quote:
They have it. |
Quote:
|
i am not expecting either bill Goodwin or bob freedman to come on the board and explain anything.
|
Quote:
I realize you think you're smarter than everyone else. That comes through in all your snarky, know-it-all posts. Some of them are even funny, although mostly they're just predictable and boring. Who are you, anyway? |
The grand kids are probably happy though, now that they are in their 20s it is tough spending so much time there. :D
Quote:
|
As a now retired IT professional, this is absolutely shocking. I would not be doing business with anyone who does not use some kind of encryption for their clients passwords. Not acceptable in any way.
I've always suspected that bids are known to many auction sites, as that can be raw data that anyone with a modicum of SQL skills could find... but this is on another level. Any auction house using Simple Auction Site is now off my bid list. Thanks for sharing. |
Because of this thread, he received free advertising. :D
All of you who didn't know about the upcoming auction, now do. |
passwords and ids
As I woke up and read the continued thread I can not think of the last time anyone asked me for this info. Maybe back in the day before I used Simple Auction site when i used dry erase boards and took bids mostly by phone (back in 2009 and before). I see no reason to have access to any of this information and agree it should be blocked. If you forget you user password, GET A NEW ONE!
|
Quote:
I think that’s probably a step too far, at least for now. Most of the auction house owners I know are honest guys. Several have told me they have never had access to passwords. Others have cleared it up and said it’s an option that SimpleAuctionSite.com can turn on or off. Obviously Bill Goodwin had it turned on. What needs to happen is that Freedman needs to confirm it’s an option. Then the various auctions houses using his software need to make clear that they do, or do not, have access to this info. Then, old time auctioneers, like Bill Goodwin, need to stay far, far away from technology they don’t understand! Anyone who sends out plain text, unencrypted, passwords in emails shouldn’t be trusted with your info. |
Quote:
|
I too received the email with my password and user ID.
Is there any thought to when I opened the link my computer could have been infected? |
Quote:
|
Quote:
|
Quote:
|
Hi Ed. The email that I received is exactly like the one which was copy and pasted in post #26 in this thread by another member.
|
The link was dead in mine. I had to key in the URL.
|
That’s odd Ed. Mine most definitely had a live link.
|
It depends on your browser/email program settings. The same link will be live for some and turned off for others.
|
Quote:
|
I'm shocked ! Shocked ! To see such recklessness going on here :)
I didn't know what to make of it at first. But, it had been such a long time that I last bid in Bill's previous auctions, that it was an old discarded Password. Anyhow, as far as I was concerned...."No harm, No foul". However, I very well understand everyone's concerns here. Also, the link (hi-lighted) was there below my Password. TED Z . |
I got the same email. This breach has caused me to sign-up with 1Password and spend MY ENTIRE DAY...YES...MY ENTIRE DAY...BUT I'M NOT BITTER OR ANYTHING...resetting my passwords across all auction, banking, investment, travel, chat, and misc "sign on" sites. On a positive note, it's the kick in the ass I needed to finally get it done.
Jeff |
Quote:
This will happen soon with Chrome, as well, and then it will *very* disruptive since that browser is like 70% of market share now. The burden is on site owners to purchase secure certificates, install them, and run their sites under HTTPS. Bill Goodwin shouldn't be running an auction site in 2020. That's pretty obvious. |
Quote:
|
More
Here are a couple of more things - nothing major, but kind of weird:
1. The link in the email is https:, but when I click on the link and go to the auction, it is not https: and Google says that the site is not secure. 2. I reset my password yesterday shortly after I received the email. I tried logging in a few minutes ago and the password didn't work, so I had to reset it again. 3. I normally don't click on links in the body of an email, but I think, in this case, it seems to be OK. I shouldn't have done it yesterday when I received the email. I should have typed the address into my browser and logged in that way. 4. I was originally concerned that my credit card info was carried from the old site to the new Heartland site, but I was looking at the rules a few minutes ago, and they do not accept PayPal or credit cards, so that shouldn't be an issue. 5. Another thought is that when I first set up my username and password for the old Beckett site, I assumed that this info would only be used for that particular site. If Bill bought the customer list from Beckett or whoever, (whomever?) I can understand it if the customer list included my email address, and my name, and maybe even my shipping address or my username, but my password? That shouldn't have happened. 6. With all of that being said, that is one hell of a nice group of cards for sale! (More free advertising for the auction) |
I got the email too
Stood out as strange, but didn't give it enough thought till reading this thread - THANK YOU for starting it. The link in my email was also not clickable. I sent an email requesting all my information be immediately removed from their system. Idiocy!
Don't want to go off on a tangent, but wasn't Goodwin accused of questionable activities (or worse?)? Not trying to start anything unnecessarily here, but I thought I remembered reading something. If I'm wrong - please clearly state so. |
Quote:
Another question here was about Goodwin's practices. Common sense would ask why he got higher prices on so many cards like D304's and Clemente rookies than all other auction sites. His silly answer was that people trusted him more. Why did the same cards get auctioned multiple times? Why did consignors not get paid for many months? It all comes back to the same problem: him. He's back and the same nonsense will happen again if bidders allow it to happen. |
RMY Auctions switched to Create Auction several years ago and could not be happier. There is no on/off function that would ever allow us to see a password, ever!
|
1 Attachment(s)
I received the same email and my link worked. As is normal around here it appears I'm in the minority with my opinion, but I just figure most of these companies can access my password if they want it. If I just talk to someone about something random adds pop up on facebook or google. I don't really care about some auction house having my email and password. But it was odd to see it in an email when it wasn't even requested. The link alone would have been sufficient.
|
Quote:
Spot on advice. When I received the email from Bill I was alarmed but not overly worried, because I use 1Password and have a different password for every website. |
password manager
I was thinking about using a password manager, so I looked through the notebook that I use to keep track of websites, usernames, and passwords, and I found that I have nearly 140 usernames and over 100 different passwords for 226 different websites.
I'm not sure what that says about me and the amount of time that I spend online. Nerd? Yes. Nothing better to do? Most of the time. Obsessed with baseball cards? Certainly. Spending too much money? Yup. Having fun? Oh yeah! Going to try to cut back on the amount of time that I am online? Hell no! |
Apologies
Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value. When you log in for the first time, you will be forced to change your password or you can go to Forgot Password and change it immediately.
As for other auction companies being able to see PW's, the vast majority cannot see your passwords nor your Max bids. We do have some older smaller legacy companies that can and we are working with them to turn them off. I will not name them so do not ask but it is a very small amount and they are very small companies. Please accept my apologies once again. I will not be responding to this thread further. Bob Freedman |
New email
Here is the email that I received this morning.
Username and Password Inbox x bill@go-heartland.com 8:42 AM (21 minutes ago) to me Dear Bidder, As you are probably aware clear text usernames and passwords were sent out via email to all the bidders imported into Heartland's database. This was done in error. The email was not sent from the website, but was sent using mail merge and the spreadsheet used to import the data. We have since changed all the passwords in the system to a random value. To reset your password please go to this page: https://go-heartland.com/forgotpassword.aspx and enter your email address. A reset password link will be sent to you. You may use the forgot password page at any time to reset it. Your new password will not be visible to anyone at Heartland Auctions or Simple Auction Site. We apologize for any inconvenience this may have caused you. Bill Goodwin Heartland Auctions 314-849-9798 Go-Heartland.com |
Quote:
With all due respect Bob, this isn’t quite accurate. Heartland is NOT an “older, smaller, legacy company.” They are brand new. Their first auction started yesterday. The email addresses, usernames, and passwords which were released were from a different company. |
Yep ^^ got the the new email too this morning. Already re-set password again.
And looked at the early bidding on some nice High-graded cards. |
I responded to the email from Hartland Auctions asking them to remove any and all of my information from their records. Not that I have same password but some even recent passwords have common letter and number patterns. So I did have to spend some time cleaning up after this data breech.
I am a little confused Bob Friedman came on here apologizing for the email? So he is saying that it originated from him and not Hartland Auctions? And I think it is 100% wrong for him not to name the auction sites that have access to passwords and bids that use Simple Auction. So now we have to assume that any simple Auction Site has the capability. (Unless Auction house comes out and says specifically it dose not have access). This is why data breeches of this type often end up in litigation. Given the seriousness of Identity theft to offer up unsecured email address tied to usernames and passwords gives the people who steal identities a giant head start. Trust is a valuable commodity. After last year I had hoped our hobby would have spent 2020 recovering. Now I see my trust betrayed during a time when I and most of the world have bigger things to address. |
I Also Received...
...a second email which was basically an apology for the "Error" and explanation for the first email. It did nothing to make me feel any better about the previous events.
As I have said ...Mr. Goodwin was always a personable and helpful person regarding his old auctions. But as so many of our members have expressed opinions that this is too big of an "Error" to over look. I am still disappointed and will not forget all of this going forward. Dennis O'Brien |
[QUOTE=bcornell;1963956]Fred - short answer: there's no risk. The link is to a website, but nothing gets installed on your device if you clicked on it. This isn't a malware problem, it's a website-run-by-incompetents problem.
Thanks for the info Fred |
Risk of auction houses shilling up bids > sending you a "reminder" email with password and user name clearly from Goodwins old list with a new name.
Contacting law enforcement...priceless |
Quote:
Bob Freedman's non-apology isn't nearly sufficient. I would ask them if they one-way encrypt passwords or if they're stored in clear text. I bet I know the answer. They're lax. You don't have to come answer questions here, Bob. Wait until you have a data breach (oops, I mean another one) and then you can answer questions from attorneys. |
Quote:
|
UPDATE:
SIMPLEAUCTIONSITE.COM is in the process of updating their systems. They have notified all of their clients that they are changing their systems. As Bob posted here, some auction houses have had the ability to see passwords. This function will go away shortly. I guess that’s the good news. The bad news is that some of these guys have, for years, been able to use the passwords and that means they had the ability to see everything you bid in their auctions. Changing passwords did nothing. The guys with password access, including certain auction houses, and SimpleAuctionSite.com, could simply look at anything you bid on and see your max bids! As always, remember that the honesty of any auction house comes down to the honesty of the auction house owner. Only deal with people you trust. Bob also told me that he did not “leak” the old Goodwin list to Bill Goodwin. Bob says he was given the data and merely input it to Heartland Auctions. That means the info could only have come from two sources. Either Beckett’s gave it or sold it back to Bill, or Bill made a copy before he sold his company to Beckett. Keep that in mind when deciding who the “people you trust” really are! (During the course of this mess, I emailed questions to Freedman, Goodwin, and Beckett. Only Freedman was nice enough to respond.) |
More Intrigue - Heartland
Check this out
https://www.go-heartland.com/ he close of tonight’s inaugural Heartland Sports Cards and Memorabilia auction has been postponed. Earlier today we were targeted in a law suit by another memorabilia company, which we view to be malicious and unwarranted. Rather than continue with tonight’s scheduled closing, we are taking a reasonable and prudent approach and suspending the auction. We appreciate your understanding in this matter and apologize for any inconvenience it may cause. As always, our first obligation is to our consignors and buyers, which makes this action necessary. It is our plan to honor all current bids when the auction resumes, provided bidders consent at that time. We will provide you with updates by e-mail as information becomes available or feel free to check our website. Sincerely, Bill Goodwin President Heartland Sports Cards and Memorabilia For all other questions please contact Bill Goodwin at Bill@Go-Heartland.com or 314-308-4649 |
Already being discussed:
https://www.net54baseball.com/showthread.php?t=281442 |
| All times are GMT -6. The time now is 01:40 PM. |