Security Breech from Bill Goodwin- UPDATE IN POST #77

[Jim VB]

I received an email this morning from Bill Goodwin’s new venture. In the email he includes a username and password. He uses the password from his old auction house, which he sold to Beckett’s 5-6 years ago.

First, the password info is supposed to protected and not available to the auction house.

Second, in this day and age, no one should be posting that info in an unencrypted fashion, in an email.

I’d like to know whether the source of this breach was Beckett’s, or Bob Freedman.

It’s certainly possible that Beckett’s sold the customer list to Bill. (I prefer thinking that they sold it, as the alternative is that Bill stole it.), but theoretically, that list should not include passwords.

I have emailed my concerns to Beckett’s, Bill Goodwin, and Bob Freedman. None have replied.

To me, this is a HUGE concern.

Remember, we have been told in the past that generally speaking, auction houses are not able to see your max bids. However, if the house has access to the password, they can now simply log on and look.

[t206fanatic]

I received the same email. Very troubling.

[ValKehl]

Quote:

Originally Posted by t206fanatic

I received the same email. Very troubling.

+1. Jim, thanks for quickly taking the actions you did.

[pawpawdiv9]

I just looked at the same email too!
I actually just looked at his auction listings.
I am in the same boat as to why the 'private password/username' was there.

[buymycards]

I also received this email. My username and password was unprotected in the body of the email. When I used this info to log into Heartland, Google told me that there was a data breech and that I should change my password immediately, which I did. I wanted to log into my account to see if my credit card info was listed. Thank heaven it was not transferred to Heartland Auctions from the old site.

Rick

[pawpawdiv9]

^^^interesting???
I am gonna try and log-in and see if this happens, and if so change mine.
BTW- i also sent a message thru the site's contact page about this matter.

[Bugsy]

They shouldn't even have access to my password in the first place, let alone sending that in an email. Very concerning.

[brass_rat]

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

[Jim VB]

Changing your password is a futile exercise if the software company makes it available to the auction house.

At that point, it’s no longer “secure.”

[x2drich2000]

Quote:

Originally Posted by brass_rat

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

You mean my password shouldn't be Password123 on every site?

[glynparson]

Quote:

Originally Posted by x2drich2000

You mean my password shouldn't be Password123 on every site?

Wow I never thought of adding the 123. I just went with password. Lol :-)

[ullmandds]

he must be upset that disney is closed?

[wondo]

Quote:

Originally Posted by ullmandds

he must be upset that disney is closed?

Now that’s funny!

[brass_rat]

Sorry, yes, I agree... Changing the passwords don't help, but if an entity has access to your password, at least they have access to only that one account and trying your email/password on multiple sites won't give them access to other things.

My comment was meant to be a tangent to the original post. Agreed that entities should not have access to passwords, whether it be auction house or other... And they should not be emailed in plain text, visible to any admins under any circumstances, etc.

Just trying to be helpful. Will bow out of this conversation now.

[Sean1125]

There is no breach.

Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot.

In my opinion Bill sent this out in a shameless effort to bring awareness to his auction, not understanding the severity of sending out passwords unencrypted to an email.

Based on his this happened, Bob ported over Goodwin's old info to a new website or Bill kept one for his records.

I am sure Beckett would love to hear about this.

[Republicaninmass]

Assume the non-compete is over

[Jim VB]

Quote:

Originally Posted by Sean1125

There is no breach.

Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot.

In my opinion Bill sent this out in a shameless effort to bring awareness to his auction, not understanding the severity of sending out passwords unencrypted to an email.

Based on his this happened, Bob ported over Goodwin's old info to a new website or Bill kept one for his records.

I am sure Beckett would love to hear about this.

I’ve spoken to two other auction houses who use SimpleAuctionSite.com. They both told me they do not have access to passwords. If you forget a password and ask them to help, all they can do is give you a “Reset Password” link.

Now, it’s possible that this is one of those options that Bob can turn on or off for each auction house. (Like he has admitted he can do with the visibility of max bids.) If so, the first breach is theirs, by giving/selling that info to Goodwin. The second breach is Bill’s by publishing it in unencrypted fashion in an email.

[sb1]

[QUOTE=Sean1125;1963574]There is no breach.

Simpleauctionsite does not encrypt passwords, I know owners of several who have been able to view passwords and provide them if I forgot.

This is false....

I can not see any ones password on my admin page for Simple Auctions. I can not even see how many characters there are to even begin to assist anyone in remembering their password. I can only send a password reset.

[bbcard1]

There was a time when the least secure thing you could do was write your password down and put it beside your computer. Now it's probably the safest place for your password to be.

[Leon]

Quote:

Originally Posted by bbcard1

There was a time when the least secure thing you could do was write your password down and put it beside your computer. Now it's probably the safest place for your password to be.

I have my computer lock password taped to the bottom of my screen . Never been a problem. It is a 23" LCD at home, of course.

[Den*nis O*Brien]

..got the same email this AM. It looked so "Fishy" that I did not even open it...straight to delete. I am thankful to the OP and the other respondents that put me informed on this. I always had good phone contacts with Bill Goodwin on items in his past auctions. Always the low $ stuff but he was very helpful. But this is inexcusable and in this competitive market I do not need reckless and careless houses putting me at risk. Both parties are off of my list of places to do business with. Once again the Net54 community was vigilant and helpful in keeping us informed. Thank you...

Sincerely, Dennis O'Brien ( Name as per the rules on these matters...I think)

[the-illini]

An unencrypted password is not a password; it is basically useless from a data integrity perspective.

[conor912]

Piss poor form by Goodwin. The subject line “your username and password” almost makes it comical, it’s that stupid.

[mechanicalman]

When I saw an email address "bill@___," I thought, shoot, what I am getting a bill for?

[daves_resale_shop]

does anyone have a screenshot of the email. May be a spoof attempt to compromise the recipient, and not necessarily a data leak from goodwin... i’d be very careful in investigating the situation prior to ruling it a breach.

David linardy

[buymycards]

Quote:

Originally Posted by daves_resale_shop

does anyone have a screenshot of the email. May be a spoof attempt to compromise the recipient, and not necessarily a data leak from goodwin... i’d be very careful in investigating the situation prior to ruling it a breach.

David linardy

Username and Password
Inbox
x

bill@go-heartland.com
8:15 AM (8 hours ago)
to me

Welcome to Bill Goodwin's Heartland Sports Auctions

Our first auction starts tomorrow, Saturday March 21 and ends Thursday April 9.

Here are your credentials to log in to your account along with a link for the Go-Heartland site.

Username: deleted
Password: deleted
Link: https://go-heartland.com/

Feel free to update any information such as your address, or update your username and/or password if you would like.

Thank you,

Bill Goodwin
Heartland Auctions
314-849-9798
Go-Heartland.com

[daves_resale_shop]

Quote:

Originally Posted by buymycards

Username and Password
Inbox
x

bill@go-heartland.com
8:15 AM (8 hours ago)
to me

Welcome to Bill Goodwin's Heartland Sports Auctions

Our first auction starts tomorrow, Saturday March 21 and ends Thursday April 9.

Here are your credentials to log in to your account along with a link for the Go-Heartland site.

Username: deleted
Password: deleted
Link: https://go-heartland.com/

Feel free to update any information such as your address, or update your username and/or password if you would like.

Thank you,

Bill Goodwin
Heartland Auctions
314-849-9798
Go-Heartland.com

Thanks for that Rick,

Now I follow.

[NATCARD]

I use Simple Auction Site for my auctions. I can see all of my customers User id's and passwords. If they were to call and ask for their password I can give it to them. It also has the ability to send a reset password email which is much safer. Thanks, Jeff W (National Card Investors)

[sb1]

Odd.... then it must be an option for the administrator. I certainly can't see that.

[Aquarian Sports Cards]

It's a big problem for an auction to have access to user passwords. It really is carte blanche to do whatever they want. Not saying that any particular company would do something unethical, but the opportunity should not be there.

[Sean]

I don't know whether to be insulted or grateful that I didn't get an email from Bill.

[Leon]

Quote:

Originally Posted by sb1

Odd.... then it must be an option for the administrator. I certainly can't see that.

I believe it was/is an option. I am sure we, when we ran the auctions together, chose the option to not see anyone's passwords or up to bids. My guess is that followed you to your new company.

[bcornell]

Quote:

Originally Posted by NATCARD

I use Simple Auction Site for my auctions. I can see all of my customers User id's and passwords. Thanks, Jeff W (National Card Investors)

Thanks for confirming this, Jeff.

It is completely unacceptable for the SimpleAuctionSite and Barnebys.com (their parent company) to allow passwords to be stored in clear text and to allow auction site owners to optionally see them. It's not an oversight or "not a big deal". This is a complicit, lazy, unacceptable breach of data security.

The list of sports auctions sites using their software is long. You can easily check this by looking at the footer of any page on a site. If it shows the SimplyAuctionSite logo, you can assume that your username and password are NOT private.

If the excuse is "it wasn't malicious", then the answer is that it's incompetence. They can choose. Bob Freedman and SimplyAuctionSite, get this fixed tomorrow.

[Phil68]

Is it possible it was a simple mistake by Bill or his administrator?
I got the email and was stupid enough to think "cool, my login hasn't changed" as I am a regular Goodwin participant. After reading this thread, I can see how foolish I was.
I'd like to think Bill is a solid dude. Maybe it was an honest mistake--albeit a rather large one?

[swarmee]

This would definitely be good information for the FBI (as it pertains to possible likelihood of shilling) and the Cyber Security feds to have. Shouldn't everyone involved in this be notified and given the option for oversight of their online accounts from the various credit tracking agencies?
I would recommend that you who have been notified by email forward it to the proper authorities.

[prestigecollectibles]

We use createauction.com, the same platform used by REA, Memory Lane, Lelands and others. We can't see user passwords or autobids.

[Phil68]

Quote:

Originally Posted by swarmee

This would definitely be good information for the FBI (as it pertains to possible likelihood of shilling) and the Cyber Security feds to have. Shouldn't everyone involved in this be notified and given the option for oversight of their online accounts from the various credit tracking agencies?
I would recommend that you who have been notified by email forward it to the proper authorities.

John,
They have it.

[doug.goodman]

Quote:

Originally Posted by bcornell

Thanks for confirming this, Jeff.

It is completely unacceptable for the SimpleAuctionSite and Barnebys.com (their parent company) to allow passwords to be stored in clear text and to allow auction site owners to optionally see them. It's not an oversight or "not a big deal". This is a complicit, lazy, unacceptable breach of data security.

The list of sports auctions sites using their software is long. You can easily check this by looking at the footer of any page on a site. If it shows the SimplyAuctionSite logo, you can assume that your username and password are NOT private.

If the excuse is "it wasn't malicious", then the answer is that it's incompetence. They can choose. Bob Freedman and SimplyAuctionSite, get this fixed tomorrow.

I agree.

[RedsFan1941]

i am not expecting either bill Goodwin or bob freedman to come on the board and explain anything.

[bcornell]

Quote:

Originally Posted by RedsFan1941

i am not expecting either bill Goodwin or bob freedman to come on the board and explain anything.

Nope, Ronnie, they won't. That's why I contacted both directly, as well as Barnebys.com, the Swedish outfit that bought SimpleAuctionSite to let them know what they did wrong, why it's wrong, and how they have to fix it immediately.

I realize you think you're smarter than everyone else. That comes through in all your snarky, know-it-all posts. Some of them are even funny, although mostly they're just predictable and boring. Who are you, anyway?

[Jobu]

The grand kids are probably happy though, now that they are in their 20s it is tough spending so much time there.

Quote:

Originally Posted by ullmandds

he must be upset that disney is closed?

[Stampsfan]

As a now retired IT professional, this is absolutely shocking. I would not be doing business with anyone who does not use some kind of encryption for their clients passwords. Not acceptable in any way.

I've always suspected that bids are known to many auction sites, as that can be raw data that anyone with a modicum of SQL skills could find... but this is on another level.

Any auction house using Simple Auction Site is now off my bid list.

Thanks for sharing.

[Buythatcard]

Because of this thread, he received free advertising.

All of you who didn't know about the upcoming auction, now do.

[NATCARD]

As I woke up and read the continued thread I can not think of the last time anyone asked me for this info. Maybe back in the day before I used Simple Auction site when i used dry erase boards and took bids mostly by phone (back in 2009 and before). I see no reason to have access to any of this information and agree it should be blocked. If you forget you user password, GET A NEW ONE!

[Jim VB]

Quote:

Originally Posted by Stampsfan

Any auction house using Simple Auction Site is now off my bid list.

Thanks for sharing.

I think that’s probably a step too far, at least for now. Most of the auction house owners I know are honest guys. Several have told me they have never had access to passwords. Others have cleared it up and said it’s an option that SimpleAuctionSite.com can turn on or off. Obviously Bill Goodwin had it turned on.

What needs to happen is that Freedman needs to confirm it’s an option.

Then the various auctions houses using his software need to make clear that they do, or do not, have access to this info.

Then, old time auctioneers, like Bill Goodwin, need to stay far, far away from technology they don’t understand! Anyone who sends out plain text, unencrypted, passwords in emails shouldn’t be trusted with your info.

[the-illini]

Quote:

Originally Posted by Jim VB

I think that’s probably a step too far, at least for now. Most of the auction house owners I know are honest guys. Several have told me they have never had access to passwords. Others have cleared it up and said it’s an option that SimpleAuctionSite.com can turn on or off. Obviously Bill Goodwin had it turned on.

What needs to happen is that Freedman needs to confirm it’s an option.

Then the various auctions houses using his software need to make clear that they do, or do not, have access to this info.

Then, old time auctioneers, like Bill Goodwin, need to stay far, far away from technology they don’t understand! Anyone who sends out plain text, unencrypted, passwords in emails shouldn’t be trusted with your info.

Thing is, SimpleAuctionSite shouldn't have the ability to turn access to passwords on or off either.

[whiteymet]

I too received the email with my password and user ID.

Is there any thought to when I opened the link my computer could have been infected?

[edhans]

Quote:

Originally Posted by whiteymet

Is there any thought to when I opened the link my computer could have been infected?

There was no link in the email I received.

[3-2-count]

Quote:

Originally Posted by edhans

There was no link in the email I received.

There was in mine. Directly under my user name and PW.

[edhans]

Quote:

Originally Posted by 3-2-count

There was in mine. Directly under my user name and PW.

The "link" was not live; that is, clicking on it would not take you directly to the website. I had to key the url into my browser. FWIW I didn't log in anyway. Was your email different?