SixBid Hacked?

There are many different ways to hack a database, but that's not the point. If they managed to access the Sixbid database (the HOW is not important to us), it doesn't matter if you change YOUR password. As long as the hackers have access to the database, they have all your data.

Of course the HOW is (or should be) important to Sixbid in order to finally fix this.

 

Log in or Sign up to hide this ad.

This is true. If the database was hacked the password is irrelevant. If their database is anything like 99% of the databases out there the password is either hashed (encrypted) or sits on a different server with its own database.

If the hackers are resorting to phishing for bogus payments to be sent by Western Union (how else would the scam work?) then I have to believe that 1) their back game isn't anywhere near as sophisticated as their initial hack and, 2) having the bidders' names and addresses isn't going to be of much use that I can see.

Personally, I fought identity theft by "giving in" in a way: I had the credit bureaus lock my credit file. If I should need to buy something on credit in the future that I'd need a loan for I'll have to spend a half hour or so reopening my credit files. A small inconvenience but the upside is (in theory) it shouldn't matter now even if they have my social security number and the hour I was born since the credit bureaus should be showing my profile as frozen. Beyond that, if they come to my house looking for coins, well, I've a bunch of high grade uncleaneds

My valuable coins are kept in a safety deposit box. More so out of fear of the house burning down than armed robbers actually....

 

The same problem seems to have plagued some of the bidders in the last NAC Auction. I just got a notice expressing concerns over fake invoices.

 

Sixbid have behaved disgracefully throughout this now long drawn out issue, and continue to do so. This is absolutely nothing to do with your passwords. Sixbid initially tried to say nothing at all and then whispered very quietly on their log in page. Now with the slightly larger message they continue to deliberately mislead customers in suggesting that it's a customer password issue when it is crystal clear that there's back-door (admin) access to the entire database including the bidding system and has been since March or earlier. Months after this known data breach the fraudsters apparently still have direct access to Sixbid's database sufficiently good to be sending out fake invoices to auctions that took place THIS WEEK (as shown by the warning messages sent by Nomos and NAC yesterday). Sixbid should have shut down the bidding platform entirely and re-established a fresh database on an unconnected platform and set up everyone from scratch with new credentials, perhaps with extra authentication. Instead they pretend to blame you, the customer, while the fraudsters still have live access to their bidding database THIS WEEK. This is regardless of how secure your passwords are because it is not using your passwords but using admin access. Needless to say I have quit Sixbid entirely (too late however as the fraudsters already have all my details, and they have yours too) and I would now urge everyone else here to do the same. There is a decent alternative (Numisbids).

 

I am taking the warning seriously. Sixbid is just a portal. I can still use it to browse what's coming up and then bid through the appropriate website which is what several posters here seem to be doing. Does numisbids cover all the same auctioneers?

Anyway, I shouldn't be spending so much money on coins.... I promised myself I'm going to scale back after this NAC sale :-D

 

This situation is disturbing and unfortunate. I wish Sixbid would do (would have done) better on notifications and fixing the problem because although I don't use them for bidding, I do use their website. Their "Completed Auctions" page, searchable by auction house and date, has no analog on Numisbids. Some of the auction houses on Sixbid are not on ACsearch either. I often use Sixbid's Completed Auctions database and would hate to lose that.

I wish Numisbids had a similar searchable listing of closed auctions! Their "Auction Results" page is just a chronological list of auctions and it only goes back six months.

 

Yes to all of this.

You do not need to belong to / be registered with Sixbid to use the services TIF lists such as "Completed Auctions" searches, or to browse and search their current auctions. You do need to be a member to bookmark and bid on coins. But you can do both these things on Numisbids, while continuing to use Sixbid for browsing or completed auctions searches.

When I first heard of this many weeks ago, I gave them some leeway and a degree of trust in what the issue was and how to fix it and communicate with us appropriately. So that's why I wasn't making a fuss two months ago. Now as more and more information comes out, their level of knowing negligence towards you and your financially important information is becoming clearer and clearer.

I wouldn't let Sixbid have one byte of my data from now on. Even today when you go onto Sixbid.com, their main page, there is absolutely no warning, information, explanations, apologies or reassurances. Nothing at all.

 

I show below all four of the Sixbid main pages as they appear to me today (AUCTIONS, ABOUT, LOG IN, REGISTER). Where's the information about the data breach?
====////====

====////====

====////====

====////====

 

I suspect they don't implement that feature because it would bring pressure from acsearch and coinarchives which charge for prices realized.

Pro tip: Search with Google and add site:numisbids.com . You will only get the results you need.

 

Thanks, Ed!

 

I've just registered for Sixbid a couple of days ago before finding out about this security hack. The morning after I did it, my machine just suddenly fell over in mid-morning whilst I was doing something quite innocuous {updating a very simple and totally unrelated spreadsheet}. May be coincidence, but it was a one-off, and I am wondering whether someone was trying to download me some malware. Not good to think that they were able to find out about me that fast.

 

Unlikely related, but do yourself a favor and at least update your SixBid personal information with all fake info and absolutely do not bid through SixBid, whatever you do. Better yet, email them and tell them to delete your account like Andrew McCabe did above. You might still have a chance of not letting SixBid hand over your personal information to criminals unlike the rest of us.

 

OK, have done, thanks. Not even sure that the Sixbid site which comes up is the genuine one, however; if you say you have forgotten your username, they ask you for your e-mail-adress {sic}. One of the standard signs of a spurious site when someone spells a common word like address wrong.

 

This must be causing huge headaches out there with collectors and sixbid.
I just received a personalized email this morning from sixbid warning about second chance offers , how to id them as being bogus and asking if I have received an email regarding second chance offers to send it to them.
This is the third warning I have receive in the past few months but the first one personalized.

 

I got this email today from Dr. Busso Peus Nachf.

Luckily it seems to be fixed with the new updated sixbid.

Dear collectors, dear colleagues,

Attention, there are fraudulent e-mails with fake auction invoices in circulation. Currently, fake emails with auction invoices are being sent on our behalf. We now know of several cases where customers received e-mails with invoices for alleged auction results, asking them to pay them and transfer the amount to an account in Munich. Auction losing bidders also received bids from the auction with a request to confirm data. In response to inquiries, it was said that the highest bidder had not paid and that an offer was then made to the next bidder (“second chance offers”).

Dispatcher addresses are for example contact@peus-muenzen.de.auction1.host - here our domain was used abusively and without our knowledge. We only use our official email addresses info@peus-muenzen.de, patatas@peus-muenzen.de and muth@peus-muenzen.de for sending auction invoices and other matters concerning auctions.

We are currently assuming that the Sixbid auction platform we use was abused. This vulnerability has now been closed with the introduction of new Sixbid software, so next auctions will not be affected.

We would like to ask you to contact us immediately if you have also received such a message. Please send us the e-mails accordingly and above all: Do not pay or enter any data!

Yours sincerely
Dr. Busso Peus Nachf.

 

I take the opportunity to mention that Lanz was one of the people behind the creation of SIXBID. I do not know if he is still part of it, but that would explain a lot