I mainly lurk on Reddit so forgive the non-conformity with the usual post styles
Public Service Announcement Regarding BrickLink Being Offline
I am making this post because the BrickLink administrators, who are understandably very busy right now, have not yet provided information over the past three hours or so and there are people on Reddit and elsewhere who are understandably concerned about their BrickLink orders. I will therefore explain what we do and do not know at this time and what you should and should not be concerned about at this time given the information that is available to someone who has been following this issue over the past week – the current situation did not start today. Full disclosure: I am both a buyer and seller on BrickLink so yes, I have an interest in maintaining BrickLink’s reputation as an excellent marketplace for fans of Lego. I am not, however, affiliated with BrickLink, The Lego Group (which owns BrickLink), etc. in any way. There is a lot to say but I will try to keep things brief to provide a summary.
What We Know
· One or more hackers have accessed several dozen BrickLink accounts, both buyer and buyer/seller accounts, over the past week (if not longer). They have changed the inventory of some stores that were previously closed for several months if not several years and used hacked buyer accounts to post positive feedback and lure actual paying buyers. The hacked buyer accounts were used to leave feedback from a range of countries and most have zero/very few feedback, but some have both left and received feedback but appear to have been inactive for a year if not longer. This suggests that the hackers have accessed login details from an older database of login details, possibly from the 2021-2022 timeframe.
· The affected hacked/fraudulent stores were located in France, the United States, Indonesia, and other countries. Some had years of experience with thousands of orders and positive feedback. Unsurprisingly, hackers prefer to gain access to established stores that can attract many customers in as short a time as possible. I am aware of 5-7 stores that may have been hacked and used in this way but there could be more. Given the rock bottom prices, “you know it when you see it.”
· A lot of people lost money so I don’t want to be dismissive toward the real pain that these hacks have caused (and continue to cause with sellers being unable to sell through BrickLink at this time). Even so, there were pretty clear red flags: massive uploads of heavily discounted items (often 30%-60% off everything, including very expensive items and very expensive sets). Most BrickLink stores offer PayPal and/or Stripe and these offer considerable protection to a buyer. The hacked stores did not, however, offer PayPal and/or Stripe – only bank transfer/IBAN (i.e., the bank transfer system used in Europe and many other countries outside of North America), and debit/credit card (through one or more e-commerce payment providers that are otherwise legitimate). The debit/credit card payment links were linked to bank accounts located in a country different from where the store was registered. For example, a hacked French store provided a credit card payment link that stated the merchant was located in Italy – a major red flag.
· Unfortunately, these scams worked – dozens of orders were placed and buyers who paid through bank transfer/IBAN and perhaps debit card are, it is sad to say, unlikely to get their money back. If I had to guess, I would say 200-300 orders were affected over the past several days, but it is worth keeping in mind that not everyone who placed an order ended up paying given the absence of PayPal or Stripe as payment options and the fairly quick intervention by BrickLink admins to suspend these hacked stores, cancel orders, and notify buyers. This is a serious issue without a doubt but, all things considered, a drop in the bucket when compared to average daily sales volumes on BrickLink.
· To give an idea of what I mean by very low prices, I am talking about a dozen or more sealed UCS Venator sets for around $300, dozens of new UCS Mandalorian minifigures for $25 each, dozens of the new Disney Bami piece for like $5 each – rock bottom liquidation type prices that should raise red flags. To be clear, prices are not necessarily a red flag but massive sales on massive inventories of new, very expensive sets/items are likely too good to be true and you will likely end up either receiving stolen items or being a victim of fraud. Don’t do it even if you have the security offered by payments through PayPal or Stripe.
· In any event, the hackers were repeatedly thwarted by people reporting suspicious stores and BrickLink admins suspending these stores and cancelling orders. Earlier this afternoon, someone using what appears to be hacked buyer accounts posted on the BrickLink forum demanding EUR 50,000 in Bitcoin within 30 minutes and otherwise threatened to delete store inventories starting with the largest stores. To be clear, this could be someone else being opportunistic and trying to make money off the work of other hackers. The hackers who were running hacked/fraudulent stores were stealing money by requesting bank transfers and debit/credit card payments (*not* made through PayPal or Stripe, which offer considerable protection to buyers). Maybe they have turned to ransom demands after being thwarted or maybe it is just another group – we simply do not know at this time.
· BrickLink shut down for unscheduled “maintenance” shortly thereafter earlier this afternoon. Needless to say, I do not know for sure why this happened, but this appears to be a preventative shutdown to allow computer security specialists to get the hackers out of the system. In other words, the shutdown is, given the current situation, a “good sign” much like fire truck or ambulance responding to a situation.
What We Do Not Know
· To be clear, we do not know why BrickLink is down right now – we can only speculate. This could be a preventative shutdown, or it could be something worse. We have to wait for an official update from BrickLink administrators who will ideally also let us know when to expect the site to return online.
· BrickLink shut down for unscheduled “maintenance” shortly thereafter earlier this afternoon. Needless to say, I do not know for sure why this happened, but this appears to be a preventative shutdown to allow computer security specialists to get the hackers out of the system. In other words, the shutdown is, given the current situation, a “good sign” much like a fire truck or ambulance responding to a situation.
What You Should Not Be Concerned About
· You should not be concerned about your money if payment was made through PayPal or Stripe. Both PayPal and Stripe offer considerable protections to buyers so you should be fine. Please keep in mind that only a small number of stores appear to have been hacked and used to defraud buyers. If you recently placed an order – and if the order was not characterized by rock bottom prices – you are likely fine even if you paid through bank transfer/IBAN. Most stores are reputable and the vast majority of transactions are likely to be legitimate – rock bottom prices are the red flag so check your email inbox to access your invoices.
· You should not be concerned about your payment data. Please note that BrickLink does not access your payment data even as it has the name, address, email, etc. that you provide as account details. When you pay through PayPal or Stripe, even sellers cannot see your full card details. If you pay through bank transfer/IBAN, then you share bank details as the cost of doing business. Regardless, payment data is not stored on BrickLink – it is stored on the servers of the payment processor so a possible data breach on BrickLink does not mean that the hackers now have access to your credit card information, etc. For peace of mind, please contact your store but please consider waiting until later this weekend as all of us, buyers and sellers alike, are in the dark until BrickLink administrators provide an official update.
o I do not know if the situation with the new MOC Pop-Up Store is different given that it connects to the Lego website.
What You Should Be Concerned About
· Your login information if your BrickLink password was shared with other online accounts particularly if you use the same email. Please consider changing the password for any online accounts that shared your BrickLink password. As a general rule, it is best practice to never reuse passwords and to instead always create unique and difficult passwords (a password manager and automatic password generator, such as that provided by Google, can be very helpful in this respect).
· Your login information if your BrickLink password was shared with other online accounts particularly if you use the same email. Please consider changing the password for any online accounts that share your BrickLink password. As a general rule, it is best practice to never reuse passwords and to instead always create unique and difficult passwords (a password manager and automatic password generator, such as that provided by Google, can be very helpful in this respect). I say this as someone who reported several of these seemingly hacked stores to BrickLink – only a small number of open stores – likely less than a dozen – were actively affected (open to defraud buyers) and these were suspended by BrickLink admins.
· Finally, and I stress that I am speculating – but you may want to change your Lego.com password *if it is the same password as used on BrickLink.* This has become a vulnerability since Lego/BrickLink began to integrate accounts and encouraged us to link usernames. If you save payment details on Lego.com and share a password for Lego.com and BrickLink, then there is a *possibility* that hackers may make purchases from your account. Granted, you are likely protected by your bank, credit card provider, and The Lego Group itself, but you may wish to take precautionary steps. I stress that this is the most speculative part of this post – take it with a lot of salt.
---
The information and suggestions for what you should and should not be causes for concern are undoubtedly incomplete, but I hope people find this helpful. BrickLink is an excellent site for Lego fans – even for Lego fans uninterested in making purchases given the existence of the excellent BrickLink catalogue, etc. – and hopefully, this experience will result in a better, more secure BrickLink for everyone to benefit from. Best case scenario: this post will be redundant in the coming hours but please do share this information if required.