Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Lego fans told to change their passwords right now following serious cyberattack

Lego.

BrickLink, a Lego-owned marketplace where users can buy and sell Lego parts, sets, and minifugures, has revealed it was recently a victim of a serious cyberattack.

The company confirmed the news via its forums, where it explained that its security team was “actively managing” some limited suspicious activity since mid-October. Apparently, someone gained access to seller accounts and was selling Lego assets at “huge discounts” while “fraudulently accepting payment from buyers”.

Soon after, on November 3, the company received a “threat and ransom demand” prompting it to shut its systems down “out of an abundance of caution”. The post did not elaborate who made the ransomware threat, what the attackers were threatening with, or how much money they were asking for. 

Lego fan accounts risk

The admin did say that there was no evidence of system compromise. Instead, they suspect credential stuffing, thinking the attackers bought (or stole) a username/password database elsewhere and tried it on the BrickLink platform until they logged into some accounts.

We also don’t know exactly how many accounts were compromised this way. The post only says that a “relatively small number of BrickLink accounts” were involved. Their true owners were notified of the breach. The company has now brought its systems back online, and urged its users to tighten up on security and stay vigilant. 

“Although we know that the BrickLink site was not breached, we've further strengthened our security. We take the safety of BrickLink and our members very seriously and will continue to step up security across the platform,” the post reads.

“We’ve informed people where we have reason to believe that their accounts or stores may have been impacted, and reminded members of ways they can make their accounts safer and more secure by practicing good data security”. 

Users are advised to keep their systems patched, use antivirus and endpoint security software, and create strong, unique passwords for each individual website.

Via The Verge

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.