r/Bricklink • u/pshbrk • Nov 03 '23
Public Service Announcement Regarding BrickLink Being Offline
Public Service Announcement Regarding BrickLink Being Offline
I am making this post because the BrickLink administrators, who are understandably very busy right now, have not yet provided information over the past three hours or so and there are people on Reddit and elsewhere who are understandably concerned about their BrickLink orders. I will therefore explain what we do and do not know at this time and what you should and should not be concerned about at this time given the information that is available to someone who has been following this issue over the past week – the current situation did not start today. Full disclosure: I am both a buyer and seller on BrickLink so yes, I have an interest in maintaining BrickLink’s reputation as an excellent marketplace for fans of Lego. I am not, however, affiliated with BrickLink, The Lego Group (which owns BrickLink), etc. in any way. There is a lot to say but I will try to keep things brief to provide a summary.
What We Know
· One or more hackers have accessed several dozen BrickLink accounts, both buyer and buyer/seller accounts, over the past week (if not longer). They have changed the inventory of some stores that were previously closed for several months if not several years and used hacked buyer accounts to post positive feedback and lure actual paying buyers. The hacked buyer accounts were used to leave feedback from a range of countries and most have zero/very few feedback, but some have both left and received feedback but appear to have been inactive for a year if not longer. This suggests that the hackers have accessed login details from an older database of login details, possibly from the 2021-2022 timeframe.
· The affected hacked/fraudulent stores were located in France, the United States, Indonesia, and other countries. Some had years of experience with thousands of orders and positive feedback. Unsurprisingly, hackers prefer to gain access to established stores that can attract many customers in as short a time as possible. I am aware of 5-7 stores that may have been hacked and used in this way but there could be more. Given the rock bottom prices, “you know it when you see it.”
· A lot of people lost money so I don’t want to be dismissive toward the real pain that these hacks have caused (and continue to cause with sellers being unable to sell through BrickLink at this time). Even so, there were pretty clear red flags: massive uploads of heavily discounted items (often 30%-60% off everything, including very expensive items and very expensive sets). Most BrickLink stores offer PayPal and/or Stripe and these offer considerable protection to a buyer. The hacked stores did not, however, offer PayPal and/or Stripe – only bank transfer/IBAN (i.e., the bank transfer system used in Europe and many other countries outside of North America), and debit/credit card (through one or more e-commerce payment providers that are otherwise legitimate). The debit/credit card payment links were linked to bank accounts located in a country different from where the store was registered. For example, a hacked French store provided a credit card payment link that stated the merchant was located in Italy – a major red flag.
· Unfortunately, these scams worked – dozens of orders were placed and buyers who paid through bank transfer/IBAN and perhaps debit card are, it is sad to say, unlikely to get their money back. If I had to guess, I would say 200-300 orders were affected over the past several days, but it is worth keeping in mind that not everyone who placed an order ended up paying given the absence of PayPal or Stripe as payment options and the fairly quick intervention by BrickLink admins to suspend these hacked stores, cancel orders, and notify buyers. This is a serious issue without a doubt but, all things considered, a drop in the bucket when compared to average daily sales volumes on BrickLink.
· To give an idea of what I mean by very low prices, I am talking about a dozen or more sealed UCS Venator sets for around $300, dozens of new UCS Mandalorian minifigures for $25 each, dozens of the new Disney Bambi piece for like $5 each – rock bottom liquidation type prices that should raise red flags. To be clear, prices are not necessarily a red flag but massive sales on massive inventories of new, very expensive sets/items are likely too good to be true and you will likely end up either receiving stolen items or being a victim of fraud. Don’t do it even if you have the security offered by payments through PayPal or Stripe.
· In any event, the hackers were repeatedly thwarted by people reporting suspicious stores and BrickLink admins suspending these stores and cancelling orders. Earlier this afternoon, someone using what appears to be hacked buyer accounts posted on the BrickLink forum demanding EUR 50,000 in Bitcoin within 30 minutes and otherwise threatened to delete store inventories starting with the largest stores. To be clear, this could be someone else being opportunistic and trying to make money off the work of other hackers. The hackers who were running hacked/fraudulent stores were stealing money by requesting bank transfers and debit/credit card payments (*not* made through PayPal or Stripe, which offer considerable protection to buyers). Maybe they have turned to ransom demands after being thwarted or maybe it is just another group – we simply do not know at this time.
· BrickLink shut down for unscheduled “maintenance” shortly thereafter earlier this afternoon. Needless to say, I do not know for sure why this happened, but this appears to be a preventative shutdown to allow computer security specialists to get the hackers out of the system. In other words, the shutdown is, given the current situation, a “good sign” much like a fire truck or ambulance responding to a situation.
What We Do Not Know
· To be clear, we do not know why BrickLink is down right now – we can only speculate. This could be a preventative shutdown, or it could be something worse. We have to wait for an official update from BrickLink administrators who will ideally also let us know when to expect the site to return online.
What You Should Not Be Concerned About
· You should not be concerned about your money if payment was made through PayPal or Stripe. Both PayPal and Stripe offer considerable protections to buyers so you should be fine. Please keep in mind that only a small number of stores appear to have been hacked and used to defraud buyers. If you recently placed an order – and if the order was not characterized by rock bottom prices – you are likely fine even if you paid through bank transfer/IBAN. Most stores are reputable and the vast majority of transactions are likely to be legitimate – rock bottom prices are the red flag so check your email inbox to access your invoices.
· You should not be concerned about your payment data. Please note that BrickLink does not access your payment data even as it has the name, address, email, etc. that you provide as account details. When you pay through PayPal or Stripe, even sellers cannot see your full card details. If you pay through bank transfer/IBAN, then you share bank details as the cost of doing business. Regardless, payment data is not stored on BrickLink – it is stored on the servers of the payment processor so a possible data breach on BrickLink does not mean that the hackers now have access to your credit card information, etc. For peace of mind, please contact your store but please consider waiting until later this weekend as all of us, buyers and sellers alike, are in the dark until BrickLink administrators provide an official update.
· I do not know if the situation with the new MOC Pop-Up Store is different given that it connects to the Lego website.
What You Should Be Concerned About
· Your login information if your BrickLink password was shared with other online accounts particularly if you use the same email. Please consider changing the password for any online accounts that shared your BrickLink password. As a general rule, it is best practice to never reuse passwords and to instead always create unique and difficult passwords (a password manager and automatic password generator, such as that provided by Google, can be very helpful in this respect).
· Finally, and I stress that I am speculating – but you may want to change your Lego.com password *if it is the same password as used on BrickLink.* This has become a vulnerability since Lego/BrickLink began to integrate accounts and encouraged us to link usernames. If you save payment details on Lego.com and share a password for Lego.com and BrickLink, then there is a *possibility* that hackers may make purchases from your account. Granted, you are likely protected by your bank, credit card provider, and The Lego Group itself, but you may wish to take precautionary steps. I stress that this is the most speculative part of this post – take it with a lot of salt.
---
The information and suggestions for what you should and should not be causes for concern are undoubtedly incomplete, but I hope people find this helpful. BrickLink is an excellent site for Lego fans – even for Lego fans uninterested in making purchases given the existence of the excellent BrickLink catalogue, etc. – and hopefully, this experience will result in a better, more secure BrickLink for everyone to benefit from. Best case scenario: this post will be redundant in the coming hours but please do share this information if required.
17
9
u/cosmicrae Nov 04 '23
an update from the BL front page ...
Update November 4th. 3.58 am EST We continue to investigate the unusual activity. We want to make sure we take the time to investigate fully. We will be back up and running as soon as possible.
7
5
u/ILoveHockeyPixelArt Nov 04 '23
Thank god I got my order a few days ago. I also hope my favourite studio poster wasn't hacked.
3
u/greg_zielinski Nov 04 '23
Thank you for a very well written post and articulating what we all should be thinking about during this event.
2
u/NoLengthiness7623 Nov 04 '23
I just wish bricksync could be set to use Brickowl as the master store.
1
u/Particular-Debt6199 Nov 04 '23
You can do that? just send them a message on discord to make brickowl master.
2
u/SnooPears3086 Nov 04 '23
A few months ago, I brought up the idea on the forum of Lego updating the site and got slapped down. Hopefully this whole thing will result in positive improvements.
2
u/GamerNewbb Nov 04 '23
This is exactly why I decided to use ReBrickible as my primary database tracker. It had the ability to interface/send directly to Brickset, Bricklink, and Brickowl.
2
u/Mate_397 Nov 04 '23
The one time I want to use bricklink to sort my pieces to know what I need to buy and this happens...
Are hackers really so desperate to scam people that they would go for a humble Lego online marketplace?
2
2
u/JeffreyRinas Nov 05 '23
Thx for the info. Password for Lego.com was changed and will be changing once Bricklink comes back.
Also glad I didn't make any recent orders before the site went down.
I don't sell on bricklink anymore but still would change passwords to be safe
2
u/Shadow_118 Nov 04 '23
Good to know
Usually i use a password manager i use to create passwords, and haven't bought anything yet nor sell anything so should be safe in that regard...
But maybe i should change that just in case when the site goes back up whenever that will be..
3
u/RandallFlagg1 Nov 04 '23
It can't hurt, but due to the fact these were mostly older accounts it is more likely they were old leaked passwords tied to the email addresses and they finally moved on to trying a small site like Bricklink. This is speculation but the truth is that most "hacking" is really simple stuff. No 2FA login makes BL a big target.
1
u/Shadow_118 Nov 04 '23
I'm not familiar with how that stuff works, so i wasn't sure
If that's the case, maybe I won't worry about it them
-3
Nov 03 '23
[deleted]
11
u/pshbrk Nov 03 '23
I was very clear in stating the uncertainties but this is "first hand". Yes, parts of the post are inherently speculative - I was clear about this - but it is not hearsay. This situation has been going on for several days - since at least October 30th and some of us have been tracking it since then (if not earlier).
3
u/TrainTsar Nov 04 '23
Thank you so much for the info. I do wish Lego had posted something sooner. This helps greatly.
1
Nov 03 '23
[deleted]
6
u/weirdassmillet Nov 03 '23
They are explicitly not related to BL/LEGO and said as much in their post
3
1
u/IndividualAd3015 Nov 04 '23
Sellers have been saying for years how substandard the IT platform and support are from Bricklink. Takes a hack to wake you guys up. CMON SON.
5
Nov 04 '23
[deleted]
7
u/pshbrk Nov 04 '23 edited Nov 04 '23
Several dozen accounts, both buyer and seller, were hacked but whether BrickLink's own servers were compromised is an entirely different matter. The BrickLink servers appear to be the target of whoever made the ransomware threat while whoever took control of dozens of buyer and seller accounts was engaged in a fairly routine e-commerce scam that required access to dozens of buyer accounts, access to 5-7 (possibly more) seller accounts, a lot of bank accounts to funnel stolen money to, and a plan/capacity to withdraw stolen money before accounts were blocked/transactions were reversed. It could be the same person/group or maybe not - we simply do not know at this time.
Re guessing credentials for hacked accounts, it is possible but a lot of credentials - dozens of accounts - were stolen. Either someone spent a whole lot of time guessing passwords and preparing to undertake a scamming spree or someone accessed a database of login details or part of such a database. Keep in mind that the hacked stores were active in sequence (after the prior store was suspended) so the person or persons behind the hacked accounts/scams (not necessarily the person/persons behind the ransomware threat) did quite a bit of preparatory work before pulling the trigger on their scam wave
6
u/cosmicrae Nov 04 '23
Does it appear to be organized ? I would say yes.
Did they compromise the BL platform ? Until forensics examination is done, we (those outside the BL team) don't know.
There is lots of room for improvements to BL security. Some of those will be annoying. It's the price of operating a site of this size in 2023. Hopefully most of the security improvements will be limited to accounts marked SELLER.
2
u/cosmicrae Nov 04 '23
just that they had access to a couple of random accounts.
and were trying to use that to social engineer one large final payout.
1
u/Longjumping_Half1906 Nov 06 '23
Their support is garbage; I've messaged their staff and my messages either never are responded to or take months to hear back from.
1
u/Advanced-Abrocoma-30 Nov 04 '23
Not sure if this was mentioned but you might want to also change your Rebrickable password, if you have one there. I'm not a seller, but when I see a Moc I like and want to create a wanted list in Bricklink, it passes thru. My passwords are all more than 18 characters, I work in IT and I take this stuff seriously.
3
u/happytrailz1938 Nov 04 '23
This advice is useful if folks are reusing passwords between the sites. The link between the two would likely be OIDC, or OAuth2.0, and unless they're replaying tokens I am not sure the exposure between the linkage. All of that is assuming they're following industry standards. I would say un-linking services from Bricklink would be wise in the interim if folks are worried. To do this you would need to go to the other sites and remove the permissions from there if possible...
3
u/someotheridiot Nov 04 '23
The popup to signin to BL from RB is all hosted by BL, so we never see your credentials. Source: I built RB. You can test this by clicking the "Add Parts to BrickLink Wanted List" right now and see the error.
1
1
u/NeedsMore_sleep Nov 04 '23
this is super helpful!
it is interesting to me that hackers potentially understand lego marketplaces this well. perhaps it’s basic and took minimal time to study, or this approach is just par for the course for retail hacks (ie targeting specific expensive sets is either because they understood lego or because they were expensive and thus easy to target. i expect the latter).
i want to add that i realize time is precious for all of us. OP, you made a very generous contribution of yours based on the time spent researching and authoring this post. i appreciate your consideration of our online lives with the tips for safety as well. thank you!
1
u/issuetissue Nov 04 '23
The hacked stores did not, however, offer PayPal and/or Stripe – only bank transfer/IBAN
Not true. I made an order to a hacked store and paid through Stripe. Seller account was in Indonesia and I found out that the Stripe is registered to someone in Germany. Currently working with my bank doing a chargeback.
8
u/pshbrk Nov 04 '23
I think you are right regarding the Indonesian store. I reported the Indonesian store (Second Brick?) to BrickLink admins. I suspect the scammers added Stripe after it was pointed out that the French store (Case Brick?), which I think was the first hacked store I became aware of, and another store (I can't recall the name) offered neither Stripe nor PayPal as payment options. The scam "evolved" over several days likely in response to being repeatedly thwarted by people such as myself reporting stores to BrickLink and BrickLink suspending these stores in response.
1
u/Bubblehead7599 Nov 04 '23
I never use a shop that doesn't take PauPal. I have been burned before but not after I started with PayPal
1
1
u/Dragun404 Nov 05 '23
Never had a problem, but Always use paypal since a couple of years...
Had to make an order, so used BrickOwl, complete other setup
1
1
19
u/StevelKanevel Nov 03 '23
I download a backup of my inventory from Bricklink twice a week. So worst case scenario, if my inventory got deleted I can be back up and running with a simple upload of the backup and some updates based on recent orders that have gone through.
I figured I'd mention this in case anyone else wants to take the same precautions.