Security Breech from Bill Goodwin- UPDATE IN POST #77

[buymycards]

I was thinking about using a password manager, so I looked through the notebook that I use to keep track of websites, usernames, and passwords, and I found that I have nearly 140 usernames and over 100 different passwords for 226 different websites.

I'm not sure what that says about me and the amount of time that I spend online. Nerd? Yes. Nothing better to do? Most of the time. Obsessed with baseball cards? Certainly. Spending too much money? Yup. Having fun? Oh yeah! Going to try to cut back on the amount of time that I am online? Hell no!

[bobfreedman]

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value. When you log in for the first time, you will be forced to change your password or you can go to Forgot Password and change it immediately.

As for other auction companies being able to see PW's, the vast majority cannot see your passwords nor your Max bids. We do have some older smaller legacy companies that can and we are working with them to turn them off. I will not name them so do not ask but it is a very small amount and they are very small companies. Please accept my apologies once again.

I will not be responding to this thread further.

Bob Freedman

[buymycards]

Here is the email that I received this morning.

Username and Password
Inbox
x

bill@go-heartland.com
8:42 AM (21 minutes ago)
to me

Dear Bidder,

As you are probably aware clear text usernames and passwords were sent out via email to all the bidders imported into Heartland's database. This was done in error. The email was not sent from the website, but was sent using mail merge and the spreadsheet used to import the data. We have since changed all the passwords in the system to a random value. To reset your password please go to this page:

https://go-heartland.com/forgotpassword.aspx

and enter your email address. A reset password link will be sent to you. You may use the forgot password page at any time to reset it.

Your new password will not be visible to anyone at Heartland Auctions or Simple Auction Site.

We apologize for any inconvenience this may have caused you.

Bill Goodwin
Heartland Auctions
314-849-9798
Go-Heartland.com

[pawpawdiv9]

Yep ^^ got the the new email too this morning. Already re-set password again.
And looked at the early bidding on some nice High-graded cards.

[bigfanNY]

I responded to the email from Hartland Auctions asking them to remove any and all of my information from their records. Not that I have same password but some even recent passwords have common letter and number patterns. So I did have to spend some time cleaning up after this data breech.
I am a little confused Bob Friedman came on here apologizing for the email? So he is saying that it originated from him and not Hartland Auctions?
And I think it is 100% wrong for him not to name the auction sites that have access to passwords and bids that use Simple Auction. So now we have to assume that any simple Auction Site has the capability. (Unless Auction house comes out and says specifically it dose not have access).
This is why data breeches of this type often end up in litigation. Given the seriousness of Identity theft to offer up unsecured email address tied to usernames and passwords gives the people who steal identities a giant head start.
Trust is a valuable commodity. After last year I had hoped our hobby would have spent 2020 recovering. Now I see my trust betrayed during a time when I and most of the world have bigger things to address.

[bcornell]

Quote:

Originally Posted by bigfanNY

I am a little confused Bob Friedman came on here apologizing for the email? So he is saying that it originated from him and not Hartland Auctions?
And I think it is 100% wrong for him not to name the auction sites that have access to passwords and bids that use Simple Auction. So now we have to assume that any simple Auction Site has the capability. (Unless Auction house comes out and says specifically it dose not have access).
This is why data breeches of this type often end up in litigation.

Bob Freedman's non-apology isn't nearly sufficient. I would ask them if they one-way encrypt passwords or if they're stored in clear text. I bet I know the answer. They're lax.



You don't have to come answer questions here, Bob. Wait until you have a data breach (oops, I mean another one) and then you can answer questions from attorneys.

[Den*nis O*Brien]

...a second email which was basically an apology for the "Error" and explanation for the first email. It did nothing to make me feel any better about the previous events.
As I have said ...Mr. Goodwin was always a personable and helpful person regarding his old auctions. But as so many of our members have expressed opinions that this is too big of an "Error" to over look. I am still disappointed and will not forget all of this going forward.

Dennis O'Brien

[Jim VB]

Quote:

Originally Posted by bobfreedman

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value. When you log in for the first time, you will be forced to change your password or you can go to Forgot Password and change it immediately.

As for other auction companies being able to see PW's, the vast majority cannot see your passwords nor your Max bids. We do have some older smaller legacy companies that can and we are working with them to turn them off. I will not name them so do not ask but it is a very small amount and they are very small companies. Please accept my apologies once again.

I will not be responding to this thread further.

Bob Freedman

With all due respect Bob, this isn’t quite accurate. Heartland is NOT an “older, smaller, legacy company.” They are brand new. Their first auction started yesterday.

The email addresses, usernames, and passwords which were released were from a different company.

[BeanTown]

Quote:

Originally Posted by bobfreedman

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value.

I will not be responding to this thread further.

Bob Freedman

Many are talking over my pay grade for how auction software works. However, reading the last statement from Bob, makes me think he doesn't want to address an on going problem. Bill brings up good points and I thought Bob would be more than happy to put everyones mind to ease and answer any questions.

[Jim VB]

UPDATE:

SIMPLEAUCTIONSITE.COM is in the process of updating their systems. They have notified all of their clients that they are changing their systems. As Bob posted here, some auction houses have had the ability to see passwords. This function will go away shortly. I guess that’s the good news.

The bad news is that some of these guys have, for years, been able to use the passwords and that means they had the ability to see everything you bid in their auctions. Changing passwords did nothing. The guys with password access, including certain auction houses, and SimpleAuctionSite.com, could simply look at anything you bid on and see your max bids!

As always, remember that the honesty of any auction house comes down to the honesty of the auction house owner. Only deal with people you trust.

Bob also told me that he did not “leak” the old Goodwin list to Bill Goodwin. Bob says he was given the data and merely input it to Heartland Auctions.

That means the info could only have come from two sources. Either Beckett’s gave it or sold it back to Bill, or Bill made a copy before he sold his company to Beckett.

Keep that in mind when deciding who the “people you trust” really are!

(During the course of this mess, I emailed questions to Freedman, Goodwin, and Beckett. Only Freedman was nice enough to respond.)