A website that allows people to buy and sell guns has been breached by hackers and a lot of useful data was stolen in the process. The data retrieved by the hackers are the identities of the users.
The breach exposed reams of sensitive personal data for over 550,000 users, including full names, home addresses, email addresses, plaintext passwords, and phone numbers. Furthermore, the stolen data allegedly allows one to link a specific person to the sale or purchase of a specific weapon.
“With this data, you can then take a public listing…and resolve it back to the [data in the stolen database] so you have the name, email and physical address and phone number of [the seller] and presumably, the location of the gun,” Troy Hunt, a cybersecurity expert who runs the popular data breach repository and alerting service Have I Been Pwned, told TechCrunch. (The researcher who discovered the breach shared the data with Hunt so that he could upload it to Have I Been Pwned.)
At the end of last year, a security researcher requesting anonymity discovered a server containing the data, which turned out to be used by a hacker or most likely a group of hackers who were storing the stolen data on the server. Because there was no system in place to limit or control who could access the server, the researcher downloaded and analyzed the data.
He discovered data from the website GunAuction.com, which has been allowing people to put guns up for auction online since 1998.
An analysis of a sample of the stolen data was conducted and via email, 100 people were reached out to and 60 via phone calls. Of the 160 people, 10 people confirmed the accuracy of the data contained in the stolen database. However, It’s unclear, how recent the data is, given that for 25 email addresses the message bounced back or could not be delivered, also, several phone numbers were disconnected.
Manny DelaCruz, CEO of GunAuction.com, confirmed the breach in an email
“I can confirm that we were recently contacted by the FBI regarding the possibility of a data breach that has affected our company,” Delacruz wrote in the statement. “The breach likely exposed personal customer information like names, addresses, and email addresses. However, we want to reassure our customers that we have no reason to believe that any financial information was accessed during the breach. We are advising our customers to remain vigilant and monitor their financial accounts and credit reports for any suspicious activity.”
DelaCruz added that “our intention is to inform affected users very soon.”
This is not the first time that sensitive data about gun owners has been exposed. Last year, California’s Department of Justice mistakenly leaked personal data, “including gun owners’ names, birthdays, addresses, ages, the purchase date and type of firearm permit they possessed, and their Criminal Identification Index numbers, which are used to track state and federal criminal records,” according to Gizmodo.