Simple Auctions Hacked Again

[jfkheat]

It looks like Simple Auctions may have been hacked again. I just checked several auction sites that are hosted by them and none would open, including the Simple Auction site. Goldin is down. If they have been hacked again I'm sure several of the auction houses will be looking for a new home.

[notfast]

Quote:

Originally Posted by jfkheat

It looks like Simple Auctions may have been hacked again. I just checked several auction sites that are hosted by them and none would open, including the Simple Auction site. Goldin is down. If they have been hacked again I'm sure several of the auction houses will be looking for a new home.

They keep having issues and have yet to move to a different auction host.

You’d think they would have moved on awhile ago because this is embarrassing.

[Peter_Spaeth]

Quote:

Originally Posted by notfast

They keep having issues and have yet to move to a different auction host.

You’d think they would have moved on awhile ago because this is embarrassing.

Is there a viable alternative?

[Fballguy]

From Goldin...

[Aquarian Sports Cards]

Quote:

Originally Posted by Peter_Spaeth

Is there a viable alternative?

I certainly think there is!

[Lorewalker]

Quote:

Originally Posted by Peter_Spaeth

Is there a viable alternative?

Getting pretty old. There are other choices. Not sure why these houses are putting up with this and subjecting their consignors and buyers to it.

[BRoberts]

Quote:

Originally Posted by Lorewalker

Getting pretty old. There are other choices. Not sure why these houses are putting up with this and subjecting their consignors and buyers to it.

How has Bob Freedman never made a public post on this board regarding whether the thousands of people registered with the auction websites on his platform had their personal information compromised by the first "hackers" weeks ago? He finds time to post his memorabilia pickups but can't address this issue?

[sbfinley]

Quote:

Originally Posted by BRoberts

How has Bob Freedman never made a public post on this board regarding whether the thousands of people registered with the auction websites on his platform had their personal information compromised by the first "hackers" weeks ago? He finds time to post his memorabilia pickups but can't address this issue?

Stolen data briefing laws are almost universal now in all 50 states. I would venture to guess anyone who would have had personal data breached will be notified. Yeah it sucks not knowing (I’m probably registered at 20 SSA affiliated sites) but:

A) Most data breach notifications go out months after the initial attack, when the full scope of data stolen is accounted for.

B) If any data was stolen, by law the effected parties will be alerted.

C) They were probably advised not to discuss it until the above notices are posted.

[Exhibitman]

I hear they will be up and running again on Monday...

[mantlefan]

How many times does this have to happen until Auction houses start using another company? (Create Auctions) SA should have implemented security patches after the last attack.

[bnorth]

Quote:

Originally Posted by mantlefan

How many times does this have to happen until Auction houses start using another company? SA should have done a better job of protecting their data.

As long as customers keep bidding and the AHs make $ it will never change. We as collectors seem to turn a blind eye to a LOT of stuff.

[BRoberts]

Quote:

Originally Posted by sbfinley

Stolen data briefing laws are almost universal now in all 50 states. I would venture to guess anyone who would have had personal data breached will be notified. Yeah it sucks not knowing (I’m probably registered at 20 SSA affiliated sites) but:

A) Most data breach notifications go out months after the initial attack, when the full scope of data stolen is accounted for.

B) If any data was stolen, by law the effected parties will be alerted.

C) They were probably advised not to discuss it until the above notices are posted.

Let's hope Bob Freedman knows the laws.

[autograf]

My nonsports auction is with SSA. I have done three auctions a year for the last two years. 2021 is the third year. I'll do Feb, Jun and October this year. The hack hasn't caused me many problems other than I had to push my Jan auction back to Feb. It sounds easy to just hop over to another software but it is not quite that easy. All the historical data would have to be ported over somehow and you'd have to learn a completely new software for running your auctions. It may come to that at some point and I'm sure other SSA users are considering jumping ship, but, for now, I'm staying put. As for information gathered, other than address and phone number which is important, my site doesn't collect any payment info--only paid through the PayPal API or via check/money order. And passwords are not visible to me through the software. I hope that's the case as, like most of you all, I'm registered with a number of SSA sites too. Last word I got was that the sites would be back up this afternoon.

[MCyganik]

I'm curious how these things work behind the scenes because for the layman like myself it sounds like a bad movie.

Auction Server gets taken hostage. Hacker claims responsibility, supposedly doesn't want info from the hostage, just wants money to release the hostage.

Server CEO has long-time IT experience, hires firm that specializes in internet hostage situations. "Never negotiate with terrorists!" customers say. They begin negotiating with the hackers.

Server CEO and hostage firm negotiate a settlement to release the hostage. "It's okay," they say, "in most situations the hacker just wants a lump sum and they'll go away".

The hacker releases the hostage. The Auction Server needs time to recuperate from the trauma but otherwise is intact and well-functioning. After a few days, life moves on.

3 Weeks Later

Auction Server is missing. Who is to blame?

[Peter_Spaeth]

Quote:

Originally Posted by mantlefan

How many times does this have to happen until Auction houses start using another company? (Create Auctions) SA should have implemented security patches after the last attack.

Has any auction changed companies since SA started having these problems or are they all just staying the course despite all the issues?

[prewarsports]

We switched about four years ago from SA to Create.

[Shoeless Moe]

Day 3


and still nothing.


getting annoying.

[bobbyw8469]

Seriously...this is ridiculous.

[Mark17]

Hopefully, after the ransom was paid and the hackers helped the sites come back up, there was a thorough analysis of all the code to be sure the hackers didn't leave any back doors, or redirect links.

I had won an auction with VSA and there was no way I was going to pay through their website - I went down and paid in person. Had they been too far away, I would've mailed a check. Even opening an invoice in .pdf format would make me nervous.

I think it is false security to assume that payment info is safe because it isn't collected or stored by the various AH. IF the hackers left spyware on the servers - and I'm not saying they did, but since they had control of the servers for several days (including that weekend they supposedly weren't working,) unless and until a full forensic analysis is performed and results made public, we don't really know what's going on.

[notfast]

I just don’t understand why these auction houses, that are “breaking records” left and right, are putting up with this. I’m sure consigners don’t like their 6-7 figure cards being for sale on websites that go down so often.

[RedsFan1941]

i knew a guy once whose roof was damaged by high winds and started leaking. he put a couple blue tarps on his roof over the trouble spots. he left those tarps up for years even though they didn't fix the problem. but they were cheaper than a new roof.

[Mark17]

Quote:

Originally Posted by RedsFan1941

i knew a guy once whose roof was damaged by high winds and started leaking. he put a couple blue tarps on his roof over the trouble spots. he left those tarps up for years even though they didn't fix the problem. but they were cheaper than a new roof.

The problem with your analogy is that it's the guy's roof and if he made a poor decision, ultimately he's assuming all the risk.

In this case there's a problem at the top and it is trickling down to affect a bunch of AH, and those who do business with them. And nobody seems to be able to say conclusively what, exactly, that impact and potential risk is.

[Peter_Spaeth]

Quote:

Originally Posted by notfast

I just don’t understand why these auction houses, that are “breaking records” left and right, are putting up with this. I’m sure consigners don’t like their 6-7 figure cards being for sale on websites that go down so often.

They seem to be very loyal to Bob, for whatever reason?

[okumeister]

Nevermind

[Exhibitman]

The servers will be back up on Saturday, er, Sunday. Monday morning absolutely, or possibly Tuesday...

[perezfan]

It’s a valid rant. As a consignor, I’d be pissed as well. Consignors should be kept in the loop and should be the first to receive info/updates. I don’t think the outage will negatively affect most prices in the end, provided they are back up and running today. Most of the serious bidding occurs at the end, and many of these auctions run a lot longer in duration than is really needed.

But you still want as many eyes as possible, and a few potential bidders could be missed because of the weekend outage. It’s aggravating as hell.

As far as switching servers, it is more complex than most people realize. A tremendous amount of work and expense is involved. From my understanding, SAS (despite the current issues) has a unique and turnkey platform on both the front and back ends. They have unique features which allow for ease of listing, invoicing and shipping that other companies simply do not offer.

That said, it’s still a clusterf*ck

[SWinn]

Quote:

Originally Posted by MCyganik

I'm curious how these things work behind the scenes because for the layman like myself it sounds like a bad movie.

Auction Server gets taken hostage. Hacker claims responsibility, supposedly doesn't want info from the hostage, just wants money to release the hostage.

Server CEO has long-time IT experience, hires firm that specializes in internet hostage situations. "Never negotiate with terrorists!" customers say. They begin negotiating with the hackers.

Server CEO and hostage firm negotiate a settlement to release the hostage. "It's okay," they say, "in most situations the hacker just wants a lump sum and they'll go away".

The hacker releases the hostage. The Auction Server needs time to recuperate from the trauma but otherwise is intact and well-functioning. After a few days, life moves on.

3 Weeks Later

Auction Server is missing. Who is to blame?

In my experience, it boils down to more common sense than IT experience. I know guys who have been in the industry for years but everything always, and I mean always, seems to fall apart (for some strange reason lol). If you're routinely getting attacked by ransomware I would be running like crazy in the other direction (as a customer).

There are many auction platforms out there. I come across them all the time in my own work. Many people opt for fully managed solutions because they don't want the IT headache on top of the logistics, understandably. It's a lot to manage.

But sometimes the best route is DIY for reasons like this. Hopefully the light is seen and all works out well.

[bobfreedman]

Board members, we were hacked once again however after the first hack, SpearTip was hired and prevented a second attempted attack Sunday Morning. A decision was made to take the servers offline and do a through check to determine how they were able to penetrate our servers (although no encryption nor data loss occurred). We have estimated that there was a Trojan Horse installed on the first hack. We decided to take everything offline and rebuild our environment and harden the security even more.

The decision was also made to install redundant security measures to prevent future attacks. This is why the servers of all our clients utilizing our software have been down. These additional layers of security have now been implemented, the servers are being tested and should be ready to be back online tonight.

We have gone through great expense to prevent the this again and we are being very proactive in hiring additional staff and hiring SpearTip on a full time basis. This has been a very trying time as you can imagine and I appreciate our customers loyalty and hope that we can once again provide you the level service you are accustomed too. Thank you

Also, from the first hack, a complete forensic analysis was done and determined that no data loss occurred

Bob Freedman

[RedsFan1941]

Quote:

Originally Posted by bobfreedman

We have estimated that there was a Trojan Horse installed on the first hack.

Also, from the first hack, a complete forensic analysis was done and determined that no data loss occurred

Bob Freedman

your people did a forensic analysis after the first hack and determined no data loss but somehow during this analysis a trojan horse was missed?

[GeoPoto]

Once upon a time I ran a company that almost ran out of cash (actually, we ran out of cash, but for a brief enough period that we were able to skinny through by stretching suppliers, delaying officer paychecks, and other things that would normally be unthinkable). At the next board meeting, the question came up whether we should be looking for another CFO. I took the position I would rather have the CFO who (almost) ran out of cash rather than the one that hadn't run out of cash -- yet. Nothing sharpens the mind like living through your own mistakes.

[UKCardGuy]

Quote:

Originally Posted by bobfreedman

Also, from the first hack, a complete forensic analysis was done and determined that no data loss occurred

No data loss occurred isn't the same as a secure environment. To me, "No data loss occurred" means that all the data was unencrypted and the records were restored.. Was the forensic analysis performed on just the data integrity or the entire environment?

Based on the fact that a trojan horse had been left, I'm guessing it was the former. That's extremely disappointing. I'd have expected the full security implications to have been considered after the first hack. At best, the approach seems very naive.

If someone takes over my house, changes the locks and demands a ransom for the new keys - I wouldn't simply trust that they didn't make copies of the keys or sabatoge other entrances.

[RedsFan1941]

Quote:

Originally Posted by Mark17

The problem with your analogy is that it's the guy's roof and if he made a poor decision, ultimately he's assuming all the risk.

In this case there's a problem at the top and it is trickling down to affect a bunch of AH, and those who do business with them. And nobody seems to be able to say conclusively what, exactly, that impact and potential risk is.

the problem with my analogy is that it was too hard for you to follow.

[Mark17]

Quote:

Originally Posted by RedsFan1941

the problem with my analogy is that it was too hard for you to follow.

Your analogy was to simpleton to be applicable here.

[notfast]

Guess they won’t be back up today.

AH better hope their stuff sells well or they are going to have some annoyed consignors.

[mantlefan]

"The decision was also made to install redundant security measures to prevent future attacks. "

Why wasn't this done after the first hack?

[NATCARD]

12 hours after last update and still down. Slightly frustrating for me but it must be overwhelming frustrating for auctions sites with live or about to go live auctions. Jeff W (National Card Investors)

[chriskim]

I lose momentum to place bids and completely lost track of when their auction ends since they mostly get postponed somehow.

[Jay Wolt]

Quote:

Originally Posted by chriskim

I lose momentum to place bids and completely lost track of when their auction ends since they mostly get postponed somehow.

I'm sure when this mess is fixed, the auction houses will contact their customer base
w/ info when their auctions will open, or the ones that were running will state their new closing date.

[darwinbulldog]

The real winner here is PWCC.

[arcadekrazy]

Quote:

Originally Posted by chriskim

I lose momentum to place bids and completely lost track of when their auction ends since they mostly get postponed somehow.

As a consignor to one of the affected, in-progress auctions, THIS is my biggest concern - loss of momentum & enthusiasm.

The lack of a clearly defined "recovery time objective" is frustrating - it seems to be a moving target. My heart goes out to the auction companies, because they can't set a clear expectation of return to service with their customer base

[Shoeless Moe]

Hoping it's back up today, we'll see.

[notfast]

Quote:

Originally Posted by arcadekrazy

My heart goes out to the auction companies, because they can't set a clear expectation of return to service with their customer base

They’ve had these issues going back over a year. Can’t have any empathy for the auction houses when they’ve kept dealing with Simple Auctions after repeated failures.

[Mark17]

What I would like is some assurance that ALL of the code the hackers seized control over has been thoroughly inspected, or compared to backup (clean) versions. Specifically, if I click on a link on one of the affected auction sites, is that link taking me where it's supposed to?

After previous discussions here and a couple of PMs I received, I, personally, am not too concerned about any of my personal data having been stolen. I do think all the AHs involved should force everyone to change their passwords however.

As a computer guy, what I am most concerned about is the integrity of all the code the hackers had control over, and whether or not there can be assurances given that there aren't new vulnerabilities built into it, not just at the higher levels where hackers could gain system-wide access, but also at the individual AH level.

For instance, about 6 years ago a company I worked for was hit by a ransomware attack. I was the first to notice our files were in the process of being corrupted, seeing folder after folder turn into gibberish. The IT guys shut down and loaded a system backup from the previous day, so our company hit was just one day of lost work, and they later told me the hack had come in through a .pdf someone at another site had opened.

So, do any of the affected AHs produce invoices in .pdf format? If so, was that code available to the hackers to replace or modify? Has all of that kind of potential problem been fully analyzed so the whole system can be reasonably considered safe for users?

I am not saying the examples I mention are applicable here. I have no idea what has been done by the hackers or the people working to clean up the sites. All I am saying is that, generally, when a hacker - a thief - has control of a system for a number of days, there are, potentially, a variety of nefarious things that can be done.

I think some detailed assurances should be given, for the sake of everyone, as to the thoroughness of the cleanup.

[chadeast]

Quote:

Originally Posted by arcadekrazy

As a consignor to one of the affected, in-progress auctions, THIS is my biggest concern - loss of momentum & enthusiasm.

The lack of a clearly defined "recovery time objective" is frustrating - it seems to be a moving target. My heart goes out to the auction companies, because they can't set a clear expectation of return to service with their customer base

I'm sorry that you are affected by this. I think that your concern is very valid. I won two cards that I had been eyeing on January 14 from one of the affected sites, and now consider myself lucky that the auction ended last week. If the auction had been postponed for days on end, I may well have found somewhere else to spend my money. Not having future auction offerings to browse is a momentum killer for sure.

I feel for the consignors and auctions site owners. Bad situation all around.

[Exhibitman]

Quote:

Originally Posted by darwinbulldog

The real winner here is PWCC.

I was thinking something similar: that eBay is the real winner. The cost of an AH sale and an eBay sale are nearly the same (eBay is a bit lower). I had always been of the mindset that rather than waste my time, use an AH to sell stuff so I don't have to retail and fulfill orders. But with all these issues and delays, maybe I just list my consignments on eBay instead. At least eBay doesn't seem to have trouble keeping the lights on.

[Snapolit1]

Still down.

Unreal.

How do auction houses that do 10s of millions in year in sales justify this?

Stated otherwise, and less politely, how fucking hard would it be for a successful business enterprise to pay some programmers to create your own bidding platform?

[111gecko]

It's a shame this is happening. Take the blame-game out of this and the reality is consignors may start looking to companies that don't use SA. Tough to blame them, but there are some good AH that use SA and they are ultimately the ones that will get hurt by this by sellers going elsewhere...

[wazoo]

Quote:

Originally Posted by Snapolit1

Still down.

Unreal.

How do auction houses that do 10s of millions in year in sales justify this?

Stated otherwise, and less politely, how fucking hard would it be for a successful business enterprise to pay some programmers to create your own bidding platform?

Tell us how you really feel 😂😂

[Kenny Cole]

I'm not going to adequately speak for the auction houses that are affected since I'm not in that position, but my understanding is that it is very difficult, verging on impossible without a huge expenditure of funds, to migrate elsewhere. And, as I further understand it, there aren't many, if any, other sites that check the needed boxes. That's the proverbial between a rock and a hard place situation. And I also bet that, even with no performance, there is still a bill sent out that is expected to be paid. That's absolute bullshit.

[drcy]

Quote:

Originally Posted by 111gecko

It's a shame this is happening. Take the blame-game out of this and the reality is consignors may start looking to companies that don't use SA. Tough to blame them, but there are some good AH that use SA and they are ultimately the ones that will get hurt by this by sellers going elsewhere...

That's assuming other platforms are safer. They might be less safe. We know SA is addressing the issue, whereas may other platforms may or may not have.

As often is the case with companies that have to react to problems, perhaps SA is now the safest platform.