Security Breech from Bill Goodwin- UPDATE IN POST #77

[3-2-count]

Hi Ed. The email that I received is exactly like the one which was copy and pasted in post #26 in this thread by another member.

[edhans]

The link was dead in mine. I had to key in the URL.

[3-2-count]

That’s odd Ed. Mine most definitely had a live link.

[swarmee]

It depends on your browser/email program settings. The same link will be live for some and turned off for others.

[Snapolit1]

Quote:

Originally Posted by 3-2-count

That’s odd Ed. Mine most definitely had a live link.

Mine did too.

[tedzan]

I'm shocked ! Shocked ! To see such recklessness going on here

I didn't know what to make of it at first. But, it had been such a long time that I last bid in Bill's previous
auctions, that it was an old discarded Password. Anyhow, as far as I was concerned...."No harm, No foul".

However, I very well understand everyone's concerns here.

Also, the link (hi-lighted) was there below my Password.


TED Z
.

[teza11]

I got the same email. This breach has caused me to sign-up with 1Password and spend MY ENTIRE DAY...YES...MY ENTIRE DAY...BUT I'M NOT BITTER OR ANYTHING...resetting my passwords across all auction, banking, investment, travel, chat, and misc "sign on" sites. On a positive note, it's the kick in the ass I needed to finally get it done.

Jeff

[bcornell]

Quote:

Originally Posted by swarmee

It depends on your browser/email program settings. The same link will be live for some and turned off for others.

John is correct. The newest version of Firefox, for example, is blocking access to many non-secure sites (i.e., ones that start with http, not https). N54 is getting that treatment right now.

This will happen soon with Chrome, as well, and then it will *very* disruptive since that browser is like 70% of market share now. The burden is on site owners to purchase secure certificates, install them, and run their sites under HTTPS.

Bill Goodwin shouldn't be running an auction site in 2020. That's pretty obvious.

[whiteymet]

Quote:

Originally Posted by swarmee

It depends on your browser/email program settings. The same link will be live for some and turned off for others.

So back to my original question. Since my email DID have a link and I clicked on it, am I at risk?

[buymycards]

Here are a couple of more things - nothing major, but kind of weird:

1. The link in the email is https:, but when I click on the link and go to the auction, it is not https: and Google says that the site is not secure.

2. I reset my password yesterday shortly after I received the email. I tried logging in a few minutes ago and the password didn't work, so I had to reset it again.

3. I normally don't click on links in the body of an email, but I think, in this case, it seems to be OK. I shouldn't have done it yesterday when I received the email. I should have typed the address into my browser and logged in that way.

4. I was originally concerned that my credit card info was carried from the old site to the new Heartland site, but I was looking at the rules a few minutes ago, and they do not accept PayPal or credit cards, so that shouldn't be an issue.

5. Another thought is that when I first set up my username and password for the old Beckett site, I assumed that this info would only be used for that particular site. If Bill bought the customer list from Beckett or whoever, (whomever?) I can understand it if the customer list included my email address, and my name, and maybe even my shipping address or my username, but my password? That shouldn't have happened.

6. With all of that being said, that is one hell of a nice group of cards for sale! (More free advertising for the auction)

[hcv123]

Stood out as strange, but didn't give it enough thought till reading this thread - THANK YOU for starting it. The link in my email was also not clickable. I sent an email requesting all my information be immediately removed from their system. Idiocy!

Don't want to go off on a tangent, but wasn't Goodwin accused of questionable activities (or worse?)? Not trying to start anything unnecessarily here, but I thought I remembered reading something. If I'm wrong - please clearly state so.

[bcornell]

Quote:

Originally Posted by whiteymet

So back to my original question. Since my email DID have a link and I clicked on it, am I at risk?

Fred - short answer: there's no risk. The link is to a website, but nothing gets installed on your device if you clicked on it. This isn't a malware problem, it's a website-run-by-incompetents problem.

Another question here was about Goodwin's practices. Common sense would ask why he got higher prices on so many cards like D304's and Clemente rookies than all other auction sites. His silly answer was that people trusted him more. Why did the same cards get auctioned multiple times? Why did consignors not get paid for many months? It all comes back to the same problem: him.

He's back and the same nonsense will happen again if bidders allow it to happen.

[prewarsports]

RMY Auctions switched to Create Auction several years ago and could not be happier. There is no on/off function that would ever allow us to see a password, ever!

[pokerplyr80]

I received the same email and my link worked. As is normal around here it appears I'm in the minority with my opinion, but I just figure most of these companies can access my password if they want it. If I just talk to someone about something random adds pop up on facebook or google. I don't really care about some auction house having my email and password. But it was odd to see it in an email when it wasn't even requested. The link alone would have been sufficient.

[T206.org]

Quote:

Originally Posted by brass_rat

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

Spot on advice.

When I received the email from Bill I was alarmed but not overly worried, because I use 1Password and have a different password for every website.

[buymycards]

I was thinking about using a password manager, so I looked through the notebook that I use to keep track of websites, usernames, and passwords, and I found that I have nearly 140 usernames and over 100 different passwords for 226 different websites.

I'm not sure what that says about me and the amount of time that I spend online. Nerd? Yes. Nothing better to do? Most of the time. Obsessed with baseball cards? Certainly. Spending too much money? Yup. Having fun? Oh yeah! Going to try to cut back on the amount of time that I am online? Hell no!

[bobfreedman]

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value. When you log in for the first time, you will be forced to change your password or you can go to Forgot Password and change it immediately.

As for other auction companies being able to see PW's, the vast majority cannot see your passwords nor your Max bids. We do have some older smaller legacy companies that can and we are working with them to turn them off. I will not name them so do not ask but it is a very small amount and they are very small companies. Please accept my apologies once again.

I will not be responding to this thread further.

Bob Freedman

[buymycards]

Here is the email that I received this morning.

Username and Password
Inbox
x

bill@go-heartland.com
8:42 AM (21 minutes ago)
to me

Dear Bidder,

As you are probably aware clear text usernames and passwords were sent out via email to all the bidders imported into Heartland's database. This was done in error. The email was not sent from the website, but was sent using mail merge and the spreadsheet used to import the data. We have since changed all the passwords in the system to a random value. To reset your password please go to this page:

https://go-heartland.com/forgotpassword.aspx

and enter your email address. A reset password link will be sent to you. You may use the forgot password page at any time to reset it.

Your new password will not be visible to anyone at Heartland Auctions or Simple Auction Site.

We apologize for any inconvenience this may have caused you.

Bill Goodwin
Heartland Auctions
314-849-9798
Go-Heartland.com

[Jim VB]

Quote:

Originally Posted by bobfreedman

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value. When you log in for the first time, you will be forced to change your password or you can go to Forgot Password and change it immediately.

As for other auction companies being able to see PW's, the vast majority cannot see your passwords nor your Max bids. We do have some older smaller legacy companies that can and we are working with them to turn them off. I will not name them so do not ask but it is a very small amount and they are very small companies. Please accept my apologies once again.

I will not be responding to this thread further.

Bob Freedman

With all due respect Bob, this isn’t quite accurate. Heartland is NOT an “older, smaller, legacy company.” They are brand new. Their first auction started yesterday.

The email addresses, usernames, and passwords which were released were from a different company.

[pawpawdiv9]

Yep ^^ got the the new email too this morning. Already re-set password again.
And looked at the early bidding on some nice High-graded cards.

[bigfanNY]

I responded to the email from Hartland Auctions asking them to remove any and all of my information from their records. Not that I have same password but some even recent passwords have common letter and number patterns. So I did have to spend some time cleaning up after this data breech.
I am a little confused Bob Friedman came on here apologizing for the email? So he is saying that it originated from him and not Hartland Auctions?
And I think it is 100% wrong for him not to name the auction sites that have access to passwords and bids that use Simple Auction. So now we have to assume that any simple Auction Site has the capability. (Unless Auction house comes out and says specifically it dose not have access).
This is why data breeches of this type often end up in litigation. Given the seriousness of Identity theft to offer up unsecured email address tied to usernames and passwords gives the people who steal identities a giant head start.
Trust is a valuable commodity. After last year I had hoped our hobby would have spent 2020 recovering. Now I see my trust betrayed during a time when I and most of the world have bigger things to address.

[Den*nis O*Brien]

...a second email which was basically an apology for the "Error" and explanation for the first email. It did nothing to make me feel any better about the previous events.
As I have said ...Mr. Goodwin was always a personable and helpful person regarding his old auctions. But as so many of our members have expressed opinions that this is too big of an "Error" to over look. I am still disappointed and will not forget all of this going forward.

Dennis O'Brien

[whiteymet]

[QUOTE=bcornell;1963956]Fred - short answer: there's no risk. The link is to a website, but nothing gets installed on your device if you clicked on it. This isn't a malware problem, it's a website-run-by-incompetents problem.


Thanks for the info

Fred

[Republicaninmass]

Risk of auction houses shilling up bids > sending you a "reminder" email with password and user name clearly from Goodwins old list with a new name.

Contacting law enforcement...priceless

[bcornell]

Quote:

Originally Posted by bigfanNY

I am a little confused Bob Friedman came on here apologizing for the email? So he is saying that it originated from him and not Hartland Auctions?
And I think it is 100% wrong for him not to name the auction sites that have access to passwords and bids that use Simple Auction. So now we have to assume that any simple Auction Site has the capability. (Unless Auction house comes out and says specifically it dose not have access).
This is why data breeches of this type often end up in litigation.

Bob Freedman's non-apology isn't nearly sufficient. I would ask them if they one-way encrypt passwords or if they're stored in clear text. I bet I know the answer. They're lax.



You don't have to come answer questions here, Bob. Wait until you have a data breach (oops, I mean another one) and then you can answer questions from attorneys.

[BeanTown]

Quote:

Originally Posted by bobfreedman

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value.

I will not be responding to this thread further.

Bob Freedman

Many are talking over my pay grade for how auction software works. However, reading the last statement from Bob, makes me think he doesn't want to address an on going problem. Bill brings up good points and I thought Bob would be more than happy to put everyones mind to ease and answer any questions.

[Jim VB]

UPDATE:

SIMPLEAUCTIONSITE.COM is in the process of updating their systems. They have notified all of their clients that they are changing their systems. As Bob posted here, some auction houses have had the ability to see passwords. This function will go away shortly. I guess that’s the good news.

The bad news is that some of these guys have, for years, been able to use the passwords and that means they had the ability to see everything you bid in their auctions. Changing passwords did nothing. The guys with password access, including certain auction houses, and SimpleAuctionSite.com, could simply look at anything you bid on and see your max bids!

As always, remember that the honesty of any auction house comes down to the honesty of the auction house owner. Only deal with people you trust.

Bob also told me that he did not “leak” the old Goodwin list to Bill Goodwin. Bob says he was given the data and merely input it to Heartland Auctions.

That means the info could only have come from two sources. Either Beckett’s gave it or sold it back to Bill, or Bill made a copy before he sold his company to Beckett.

Keep that in mind when deciding who the “people you trust” really are!

(During the course of this mess, I emailed questions to Freedman, Goodwin, and Beckett. Only Freedman was nice enough to respond.)

[Blwilson2]

Check this out

https://www.go-heartland.com/

he close of tonight’s inaugural Heartland Sports Cards and Memorabilia auction has been postponed.
Earlier today we were targeted in a law suit by another memorabilia company, which we view to be malicious and unwarranted. Rather than continue with tonight’s scheduled closing, we are taking a reasonable and prudent approach and suspending the auction.
We appreciate your understanding in this matter and apologize for any inconvenience it may cause. As always, our first obligation is to our consignors and buyers, which makes this action necessary.
It is our plan to honor all current bids when the auction resumes, provided bidders consent at that time.
We will provide you with updates by e-mail as information becomes available or feel free to check our website.
Sincerely,
Bill Goodwin
President
Heartland Sports Cards and Memorabilia
For all other questions please contact Bill Goodwin at Bill@Go-Heartland.com or 314-308-4649

[swarmee]

Already being discussed:
https://www.net54baseball.com/showthread.php?t=281442