Simple Auctions Hacked Again

[BRoberts]

Quote:

Originally Posted by Lorewalker

Getting pretty old. There are other choices. Not sure why these houses are putting up with this and subjecting their consignors and buyers to it.

How has Bob Freedman never made a public post on this board regarding whether the thousands of people registered with the auction websites on his platform had their personal information compromised by the first "hackers" weeks ago? He finds time to post his memorabilia pickups but can't address this issue?

[sbfinley]

Quote:

Originally Posted by BRoberts

How has Bob Freedman never made a public post on this board regarding whether the thousands of people registered with the auction websites on his platform had their personal information compromised by the first "hackers" weeks ago? He finds time to post his memorabilia pickups but can't address this issue?

Stolen data briefing laws are almost universal now in all 50 states. I would venture to guess anyone who would have had personal data breached will be notified. Yeah it sucks not knowing (I’m probably registered at 20 SSA affiliated sites) but:

A) Most data breach notifications go out months after the initial attack, when the full scope of data stolen is accounted for.

B) If any data was stolen, by law the effected parties will be alerted.

C) They were probably advised not to discuss it until the above notices are posted.

[Exhibitman]

I hear they will be up and running again on Monday...

[mantlefan]

How many times does this have to happen until Auction houses start using another company? (Create Auctions) SA should have implemented security patches after the last attack.

[bnorth]

Quote:

Originally Posted by mantlefan

How many times does this have to happen until Auction houses start using another company? SA should have done a better job of protecting their data.

As long as customers keep bidding and the AHs make $ it will never change. We as collectors seem to turn a blind eye to a LOT of stuff.

[Peter_Spaeth]

Quote:

Originally Posted by mantlefan

How many times does this have to happen until Auction houses start using another company? (Create Auctions) SA should have implemented security patches after the last attack.

Has any auction changed companies since SA started having these problems or are they all just staying the course despite all the issues?

[prewarsports]

We switched about four years ago from SA to Create.

[Shoeless Moe]

Day 3


and still nothing.


getting annoying.

[BRoberts]

Quote:

Originally Posted by sbfinley

Stolen data briefing laws are almost universal now in all 50 states. I would venture to guess anyone who would have had personal data breached will be notified. Yeah it sucks not knowing (I’m probably registered at 20 SSA affiliated sites) but:

A) Most data breach notifications go out months after the initial attack, when the full scope of data stolen is accounted for.

B) If any data was stolen, by law the effected parties will be alerted.

C) They were probably advised not to discuss it until the above notices are posted.

Let's hope Bob Freedman knows the laws.

[autograf]

My nonsports auction is with SSA. I have done three auctions a year for the last two years. 2021 is the third year. I'll do Feb, Jun and October this year. The hack hasn't caused me many problems other than I had to push my Jan auction back to Feb. It sounds easy to just hop over to another software but it is not quite that easy. All the historical data would have to be ported over somehow and you'd have to learn a completely new software for running your auctions. It may come to that at some point and I'm sure other SSA users are considering jumping ship, but, for now, I'm staying put. As for information gathered, other than address and phone number which is important, my site doesn't collect any payment info--only paid through the PayPal API or via check/money order. And passwords are not visible to me through the software. I hope that's the case as, like most of you all, I'm registered with a number of SSA sites too. Last word I got was that the sites would be back up this afternoon.

[MCyganik]

I'm curious how these things work behind the scenes because for the layman like myself it sounds like a bad movie.

Auction Server gets taken hostage. Hacker claims responsibility, supposedly doesn't want info from the hostage, just wants money to release the hostage.

Server CEO has long-time IT experience, hires firm that specializes in internet hostage situations. "Never negotiate with terrorists!" customers say. They begin negotiating with the hackers.

Server CEO and hostage firm negotiate a settlement to release the hostage. "It's okay," they say, "in most situations the hacker just wants a lump sum and they'll go away".

The hacker releases the hostage. The Auction Server needs time to recuperate from the trauma but otherwise is intact and well-functioning. After a few days, life moves on.

3 Weeks Later

Auction Server is missing. Who is to blame?

[SWinn]

Quote:

Originally Posted by MCyganik

I'm curious how these things work behind the scenes because for the layman like myself it sounds like a bad movie.

Auction Server gets taken hostage. Hacker claims responsibility, supposedly doesn't want info from the hostage, just wants money to release the hostage.

Server CEO has long-time IT experience, hires firm that specializes in internet hostage situations. "Never negotiate with terrorists!" customers say. They begin negotiating with the hackers.

Server CEO and hostage firm negotiate a settlement to release the hostage. "It's okay," they say, "in most situations the hacker just wants a lump sum and they'll go away".

The hacker releases the hostage. The Auction Server needs time to recuperate from the trauma but otherwise is intact and well-functioning. After a few days, life moves on.

3 Weeks Later

Auction Server is missing. Who is to blame?

In my experience, it boils down to more common sense than IT experience. I know guys who have been in the industry for years but everything always, and I mean always, seems to fall apart (for some strange reason lol). If you're routinely getting attacked by ransomware I would be running like crazy in the other direction (as a customer).

There are many auction platforms out there. I come across them all the time in my own work. Many people opt for fully managed solutions because they don't want the IT headache on top of the logistics, understandably. It's a lot to manage.

But sometimes the best route is DIY for reasons like this. Hopefully the light is seen and all works out well.

[bobfreedman]

Board members, we were hacked once again however after the first hack, SpearTip was hired and prevented a second attempted attack Sunday Morning. A decision was made to take the servers offline and do a through check to determine how they were able to penetrate our servers (although no encryption nor data loss occurred). We have estimated that there was a Trojan Horse installed on the first hack. We decided to take everything offline and rebuild our environment and harden the security even more.

The decision was also made to install redundant security measures to prevent future attacks. This is why the servers of all our clients utilizing our software have been down. These additional layers of security have now been implemented, the servers are being tested and should be ready to be back online tonight.

We have gone through great expense to prevent the this again and we are being very proactive in hiring additional staff and hiring SpearTip on a full time basis. This has been a very trying time as you can imagine and I appreciate our customers loyalty and hope that we can once again provide you the level service you are accustomed too. Thank you

Also, from the first hack, a complete forensic analysis was done and determined that no data loss occurred

Bob Freedman