HiBid hacked...do they have your credit card number?

WCraig

Registered
Registered
Joined
Oct 10, 2018
Messages
542
HiBid.com is the platform behind a great number of online auctions in North America...and they were unreachable for the past 5 days. Apparently hacked and being held for ransom.

There seems to be little public information on this situation. The attack is reportedly against hibid's parent company, SandHills Global. One auctioneer that I follow emailed a link to the following article:

...Numerous sources have told BleepingComputer that a Conti ransomware attack is behind these outages.

This attack reportedly took place in the early morning hours of Thursday [September 30, 2021], causing the company to shut down all of its IT systems to prevent the attack's spread. ...
https://www.bleepingcomputer.com/ne...inery-markets-shut-down-by-ransomware-attack/

According to BleepingComputer (via Twitter), Sandhills has confirmed the attack but doesn't know if customer information was compromised by the hackers.

Hibid has my credit card number on file since that's how almost all the auctions get paid. I'm going to be watching my credit card account closely and I may just get the card replaced. Have any other members also purchased through them?

Last night, I got two separate emails from auctioneers announcing that hibid.com was back up and that their auctions were ready for bidding. Neither acknowledged the hack or expressed a shred of concern. So I replied to each pointing out that their service provider was hacked and asking how I could ever trust the platform again. Also asked how much of my personal information had been exposed and particularly about my credit card number. Both replied promptly but neither actually answered my questions. The one suggested I call Sandhills Global directly and gave me a telephone number!*

The lack of communication from Sandhills really concerns me. It appears they are trying to sweep the whole incident under the rug and carry on as if nothing happened. That suggests they don't give a sh*t about their users. I find that very troubling and won't be bidding on any such auctions until they provide a clear and comprehensive accounting.

Craig

*Sandhills Global telephone systems were also down during the attack. A news report from yesterday said they were unable to contact Sandhills for comment...possibly because their telephone systems were still down!
 
There phone system is also a computer system.

Having worked many of these, it's a nasty situation. Many of our customers were hacked. I was an Oracle DBA at a company that provided imaging solutions for hospitals, imaging centers, and Drs offices. Hospitals were some of the first to be attacked years ago. Someone would receive an email, open it, and infect the whole network.. it lied in wait, and then encrypted all their critical files. Pay to get them back.

Some of the customers had backups that were successful, others opted to pay the ransom usually the fastest way back. The hackers were negotiable, at first asking for ridiculous amounts of money.

When I worked in the Telecom field, my office mate was responsible for being a white hacker. As he said, all systems are penetrable. You just have to find STUPID who left it open so they could get in.

Security is an illusion. People are idiots, I have seen people change the password of a critical system to PASSWORD... Fing idiots.
 
Last edited:
This ransomware is an issue.
I made sure to insist on the most robust firewall and anti-virus-spam offerings on the market.
We have a managed business network.
Pretty scary to think some scum bags can take over your business that you and your employees have built up just to be shut down and charged to get it back.
Grrrrrrr @#$%^&*!!
 
If they are PCI compliant, it would require them to encrypt all cardholder PANs. An encrypted PAN without the decryption key is useless. But who knows if they lied about that when dealing with payment processors.
 
If they are PCI compliant,
They likely are PCI DSS compliant

I managed a program that took CC online for payment and we had to pass a regular and rigorous audit to ensure we met the PCI DSS (Payment Card Industry Data Security Standard) compliance standard. Also, the card holder is not typically responsible for any CC theft. Watch your statement and if any un-authorized uses of your card are noticed, Contact the Card company to get the charge removed. Of course there are exceptions to all rules so your mileage may vary.
 
They likely are PCI DSS compliant

I managed a program that took CC online for payment and we had to pass a regular and rigorous audit to ensure we met the PCI DSS (Payment Card Industry Data Security Standard) compliance standard. Also, the card holder is not typically responsible for any CC theft. Watch your statement and if any un-authorized uses of your card are noticed, Contact the Card company to get the charge removed. Of course there are exceptions to all rules so your mileage may vary.
They are still investigating if any customer data was compromised. It'll probably be a while. It wouldn't matter if it's encrypted if they gave away the key. It depends a lot on the extent of what the hackers had control. Was it just the OS, or the auction software itself. I know one thing, I'm staying clear of HiBid auction sites!

I am a lead developer for a fortune 500 company that also goes through rigorous PCI compliance audits every year. I don't even have access to even know how some of our customer data is encrypted. lol.
 
Thanks for the heads up; first I've heard of it. Disappointing that the company hasn't reached out to customers. [edit] The article linked by the OP did say the parent company reached out to customers, but I definitely didn't receive an email from them.

Some of you savy folks may already do this: but this event is a good reminder to freeze your credit with the big 3 bureaus. I've had mine frozen indefinitely and only lift the freeze temporarily when needed for a credit application (which is very rare; I think I've only needed to do this twice in the last 4 years). The process is pretty easy and I think some/all let you provide a duration for a temporary unfreeze which is convenient.
 
Thanks for the heads up; first I've heard of it. Disappointing that the company hasn't reached out to customers. [edit] The article linked by the OP did say the parent company reached out to customers, but I definitely didn't receive an email from them.
...
HiBid's customers are the auction houses and apparently at least some of them were informed of the attack. We--as bidders and buyers--are not actually customers of HiBid/Sandhills. It looks like they want to pretend that nothing happened. The Sandhills web site is back up and neither their home page or News page has any mention of the incident.

Disgusting.

Craig
 
I am surprised at the number of cyber professionals in this group (and pleased). Yes, any security is only as good as your dumbest employee. Secure data-at-rest should be a part of every business's strategy, plus regular backups (with backups taken off-site). With good (and frequent) backups, you can tell any of those ransomware pirates to go pound sand (once you figured out which idiot screwed up and gave them access). It might be time to also review policies on your domain, and make sure the less-technical folks on your network have zero rights to install any application which is not white-listed.

We live in a different world today, and your daddy's network security is no longer sufficient. I am shocked at watching hospitals and cities get nabbed by the bad guys so frequently. Who the #$% hired the losers who are managing and securing those networks. They certainly have the money to hire the right people, perhaps they need to start looking more at industry certifications, than degrees when they employ people. I have seen the "product" that many colleges are graduating these days, and I am less than fully impressed.
 
I suspect that if we, as the end consumer, get an email anytime some company that has some of our personal information gets hacked our inboxes would be overflowing.

BTW, if you want to loose some sleep, you can always check to see a list of some of the times your data has been stolen ( I am sure this is not a complete list) check out the site haveibeenpwned.com and enter your email address.
 
Back
Top