Hackers steal gun owners' data from firearm auction website

Hackers breached a website that allows people to buy and sell guns, exposing the identities of its users, TechCrunch has learned.

The breach exposed reams of sensitive personal data for more than 550,000 users, including customers' full names, home addresses, email addresses, plaintext passwords and telephone numbers. Also, the stolen data allegedly makes it possible to link a particular person with the sale or purchase of a specific weapon.

“With this data, you can then take a public listing...and resolve it back to the [data in the stolen database] so you have the name, email and physical address and phone number of [the seller] and presumably, the location of the gun,” Troy Hunt, a cybersecurity expert who runs the popular data breach repository and alerting service Have I BeenPwned, told TechCrunch. (The researcher who found the breach shared the data with Hunt so he can upload it to Have I BeenPwned.)

At the end of last year, a security researcher — who asked to remain anonymous — discovered a server containing the data, which turned out to be used by a hacker (or group of hackers) who was using the server to store the stolen data. The server was not protected by any system to limit or control who could access it, so the researcher downloaded the data and analyzed it.

What he found was data taken from the website GunAuction.com, a site that since 1998 allows people to put guns for auction online.

A screenshot of GunAuction.com
A screenshot of GunAuction.com

A screenshot of GunAuction.com

TechCrunch analyzed a sample of the stolen data, and reached out to 100 people via email and 60 via phone call. Of those, 10 people confirmed that the data contained in the stolen database was accurate. It’s unclear, however, how recent the data is, given that for 25 email addresses our message bounced back or could not be delivered, and several phone numbers were also disconnected.

GunAuction.com CEO Manny DelaCruz confirmed the breach in an email.

“I can confirm that we were recently contacted by the FBI regarding the possibility of a data breach that has affected our company,” DelaCruz wrote in the statement. “The breach likely exposed personal customer information like names, addresses, and email addresses. However, we want to reassure our customers that we have no reason to believe that any financial information was accessed during the breach. We are advising our customers to remain vigilant and monitor their financial accounts and credit reports for any suspicious activity.”

DelaCruz added that “our intention is to inform affected users very soon.”

This is not the first time that sensitive data about gun owners has been exposed. Last year, California's Department of Justice mistakenly leaked personal data, “including gun owners’ names, birthdays, addresses, ages, the purchase date and type of firearm permit they possessed, and their Criminal Identification Index numbers, which are used to track state and federal criminal records,” according to Gizmodo.

Do you have more information about this breach? Or similar breaches? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.