Security Breech from Bill Goodwin- UPDATE IN POST #77

[buymycards]

I also received this email. My username and password was unprotected in the body of the email. When I used this info to log into Heartland, Google told me that there was a data breech and that I should change my password immediately, which I did. I wanted to log into my account to see if my credit card info was listed. Thank heaven it was not transferred to Heartland Auctions from the old site.

Rick

[pawpawdiv9]

^^^interesting???
I am gonna try and log-in and see if this happens, and if so change mine.
BTW- i also sent a message thru the site's contact page about this matter.

[Bugsy]

They shouldn't even have access to my password in the first place, let alone sending that in an email. Very concerning.

[brass_rat]

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

[x2drich2000]

Quote:

Originally Posted by brass_rat

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

You mean my password shouldn't be Password123 on every site?

[glynparson]

Quote:

Originally Posted by x2drich2000

You mean my password shouldn't be Password123 on every site?

Wow I never thought of adding the 123. I just went with password. Lol :-)

[ullmandds]

he must be upset that disney is closed?

[wondo]

Quote:

Originally Posted by ullmandds

he must be upset that disney is closed?

Now that’s funny!

[brass_rat]

Sorry, yes, I agree... Changing the passwords don't help, but if an entity has access to your password, at least they have access to only that one account and trying your email/password on multiple sites won't give them access to other things.

My comment was meant to be a tangent to the original post. Agreed that entities should not have access to passwords, whether it be auction house or other... And they should not be emailed in plain text, visible to any admins under any circumstances, etc.

Just trying to be helpful. Will bow out of this conversation now.

[Jobu]

The grand kids are probably happy though, now that they are in their 20s it is tough spending so much time there.

Quote:

Originally Posted by ullmandds

he must be upset that disney is closed?

[Stampsfan]

As a now retired IT professional, this is absolutely shocking. I would not be doing business with anyone who does not use some kind of encryption for their clients passwords. Not acceptable in any way.

I've always suspected that bids are known to many auction sites, as that can be raw data that anyone with a modicum of SQL skills could find... but this is on another level.

Any auction house using Simple Auction Site is now off my bid list.

Thanks for sharing.

[T206.org]

Quote:

Originally Posted by brass_rat

I would imagine that a lot of users reuse passwords across sites. This is a good reason not to do that.

Password managers are a good thing... KeePass, 1Password, etc.

Spot on advice.

When I received the email from Bill I was alarmed but not overly worried, because I use 1Password and have a different password for every website.

[buymycards]

I was thinking about using a password manager, so I looked through the notebook that I use to keep track of websites, usernames, and passwords, and I found that I have nearly 140 usernames and over 100 different passwords for 226 different websites.

I'm not sure what that says about me and the amount of time that I spend online. Nerd? Yes. Nothing better to do? Most of the time. Obsessed with baseball cards? Certainly. Spending too much money? Yup. Having fun? Oh yeah! Going to try to cut back on the amount of time that I am online? Hell no!

[bobfreedman]

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value. When you log in for the first time, you will be forced to change your password or you can go to Forgot Password and change it immediately.

As for other auction companies being able to see PW's, the vast majority cannot see your passwords nor your Max bids. We do have some older smaller legacy companies that can and we are working with them to turn them off. I will not name them so do not ask but it is a very small amount and they are very small companies. Please accept my apologies once again.

I will not be responding to this thread further.

Bob Freedman

[buymycards]

Here is the email that I received this morning.

Username and Password
Inbox
x

bill@go-heartland.com
8:42 AM (21 minutes ago)
to me

Dear Bidder,

As you are probably aware clear text usernames and passwords were sent out via email to all the bidders imported into Heartland's database. This was done in error. The email was not sent from the website, but was sent using mail merge and the spreadsheet used to import the data. We have since changed all the passwords in the system to a random value. To reset your password please go to this page:

https://go-heartland.com/forgotpassword.aspx

and enter your email address. A reset password link will be sent to you. You may use the forgot password page at any time to reset it.

Your new password will not be visible to anyone at Heartland Auctions or Simple Auction Site.

We apologize for any inconvenience this may have caused you.

Bill Goodwin
Heartland Auctions
314-849-9798
Go-Heartland.com

[pawpawdiv9]

Yep ^^ got the the new email too this morning. Already re-set password again.
And looked at the early bidding on some nice High-graded cards.

[Jim VB]

Quote:

Originally Posted by bobfreedman

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value. When you log in for the first time, you will be forced to change your password or you can go to Forgot Password and change it immediately.

As for other auction companies being able to see PW's, the vast majority cannot see your passwords nor your Max bids. We do have some older smaller legacy companies that can and we are working with them to turn them off. I will not name them so do not ask but it is a very small amount and they are very small companies. Please accept my apologies once again.

I will not be responding to this thread further.

Bob Freedman

With all due respect Bob, this isn’t quite accurate. Heartland is NOT an “older, smaller, legacy company.” They are brand new. Their first auction started yesterday.

The email addresses, usernames, and passwords which were released were from a different company.

[BeanTown]

Quote:

Originally Posted by bobfreedman

Guys, I apologize for the confusion and the mistakes we made in sending out the User Names and Passwords. We have reset everyone's passwords to a randomly generated value.

I will not be responding to this thread further.

Bob Freedman

Many are talking over my pay grade for how auction software works. However, reading the last statement from Bob, makes me think he doesn't want to address an on going problem. Bill brings up good points and I thought Bob would be more than happy to put everyones mind to ease and answer any questions.

[Jim VB]

UPDATE:

SIMPLEAUCTIONSITE.COM is in the process of updating their systems. They have notified all of their clients that they are changing their systems. As Bob posted here, some auction houses have had the ability to see passwords. This function will go away shortly. I guess that’s the good news.

The bad news is that some of these guys have, for years, been able to use the passwords and that means they had the ability to see everything you bid in their auctions. Changing passwords did nothing. The guys with password access, including certain auction houses, and SimpleAuctionSite.com, could simply look at anything you bid on and see your max bids!

As always, remember that the honesty of any auction house comes down to the honesty of the auction house owner. Only deal with people you trust.

Bob also told me that he did not “leak” the old Goodwin list to Bill Goodwin. Bob says he was given the data and merely input it to Heartland Auctions.

That means the info could only have come from two sources. Either Beckett’s gave it or sold it back to Bill, or Bill made a copy before he sold his company to Beckett.

Keep that in mind when deciding who the “people you trust” really are!

(During the course of this mess, I emailed questions to Freedman, Goodwin, and Beckett. Only Freedman was nice enough to respond.)

[Jim VB]

Changing your password is a futile exercise if the software company makes it available to the auction house.

At that point, it’s no longer “secure.”