Security Breech from Bill Goodwin- UPDATE IN POST #77

[Jim VB]

I received an email this morning from Bill Goodwin’s new venture. In the email he includes a username and password. He uses the password from his old auction house, which he sold to Beckett’s 5-6 years ago.

First, the password info is supposed to protected and not available to the auction house.

Second, in this day and age, no one should be posting that info in an unencrypted fashion, in an email.

I’d like to know whether the source of this breach was Beckett’s, or Bob Freedman.

It’s certainly possible that Beckett’s sold the customer list to Bill. (I prefer thinking that they sold it, as the alternative is that Bill stole it.), but theoretically, that list should not include passwords.

I have emailed my concerns to Beckett’s, Bill Goodwin, and Bob Freedman. None have replied.

To me, this is a HUGE concern.

Remember, we have been told in the past that generally speaking, auction houses are not able to see your max bids. However, if the house has access to the password, they can now simply log on and look.

[t206fanatic]

I received the same email. Very troubling.

[ValKehl]

Quote:

Originally Posted by t206fanatic

I received the same email. Very troubling.

+1. Jim, thanks for quickly taking the actions you did.

[pawpawdiv9]

I just looked at the same email too!
I actually just looked at his auction listings.
I am in the same boat as to why the 'private password/username' was there.

[buymycards]

I also received this email. My username and password was unprotected in the body of the email. When I used this info to log into Heartland, Google told me that there was a data breech and that I should change my password immediately, which I did. I wanted to log into my account to see if my credit card info was listed. Thank heaven it was not transferred to Heartland Auctions from the old site.

Rick

[pawpawdiv9]

^^^interesting???
I am gonna try and log-in and see if this happens, and if so change mine.
BTW- i also sent a message thru the site's contact page about this matter.

[Bugsy]

They shouldn't even have access to my password in the first place, let alone sending that in an email. Very concerning.

[brass_rat]

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

[x2drich2000]

Quote:

Originally Posted by brass_rat

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

You mean my password shouldn't be Password123 on every site?

[T206.org]

Quote:

Originally Posted by brass_rat

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

Spot on advice.

When I received the email from Bill I was alarmed but not overly worried, because I use 1Password and have a different password for every website.

[Jim VB]

Changing your password is a futile exercise if the software company makes it available to the auction house.

At that point, it’s no longer “secure.”

[Sean1125]

There is no breach.

Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot.

In my opinion Bill sent this out in a shameless effort to bring awareness to his auction, not understanding the severity of sending out passwords unencrypted to an email.

Based on his this happened, Bob ported over Goodwin's old info to a new website or Bill kept one for his records.

I am sure Beckett would love to hear about this.

[Republicaninmass]

Assume the non-compete is over

[Den*nis O*Brien]

..got the same email this AM. It looked so "Fishy" that I did not even open it...straight to delete. I am thankful to the OP and the other respondents that put me informed on this. I always had good phone contacts with Bill Goodwin on items in his past auctions. Always the low $ stuff but he was very helpful. But this is inexcusable and in this competitive market I do not need reckless and careless houses putting me at risk. Both parties are off of my list of places to do business with. Once again the Net54 community was vigilant and helpful in keeping us informed. Thank you...

Sincerely, Dennis O'Brien ( Name as per the rules on these matters...I think)

[the-illini]

An unencrypted password is not a password; it is basically useless from a data integrity perspective.

[conor912]

Piss poor form by Goodwin. The subject line “your username and password” almost makes it comical, it’s that stupid.

[Jim VB]

Quote:

Originally Posted by Sean1125

There is no breach.

Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot.

In my opinion Bill sent this out in a shameless effort to bring awareness to his auction, not understanding the severity of sending out passwords unencrypted to an email.

Based on his this happened, Bob ported over Goodwin's old info to a new website or Bill kept one for his records.

I am sure Beckett would love to hear about this.

I’ve spoken to two other auction houses who use SimpleAuctionSite.com. They both told me they do not have access to passwords. If you forget a password and ask them to help, all they can do is give you a “Reset Password” link.

Now, it’s possible that this is one of those options that Bob can turn on or off for each auction house. (Like he has admitted he can do with the visibility of max bids.) If so, the first breach is theirs, by giving/selling that info to Goodwin. The second breach is Bill’s by publishing it in unencrypted fashion in an email.

[sb1]

[QUOTE=Sean1125;1963574]There is no breach.

Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot.

This is false....

I can not see any ones password on my admin page for Simple Auctions. I can not even see how many characters there are to even begin to assist anyone in remembering their password. I can only send a password reset.

[bbcard1]

There was a time when the least secure thing you could do was write your password down and put it beside your computer. Now it's probably the safest place for your password to be.

[Leon]

Quote:

Originally Posted by bbcard1

There was a time when the least secure thing you could do was write your password down and put it beside your computer. Now it's probably the safest place for your password to be.

I have my computer lock password taped to the bottom of my screen . Never been a problem. It is a 23" LCD at home, of course.