LivingSocial Hacked: Cyber Attack Affects More Than 50 Million Customers

Hackers’ Are Intent on Gettin’ Our Personal Info.

We Need to Be Very Vigilant…

Online deals site LivingSocial said its computer systems were hacked on Friday, which may have compromised the personal data of more than 50 million of its customers.

Hackers gained access to customer data from the company’s servers, which included their names, email addresses, dates of birth, and encrypted passwords, the company said.

The cyber attackers did not gain access to the database where customers’ credit card information was stored, LivingSocial spokesman Andrew Weinstein told ABC News.

Weinstein said customers in South Korea, Thailand, Indonesia, and the Philippines were not impacted by the security breach since their passwords were stored on different servers.

But in all other countries where LivingSocial operates, customers were being notified that their information was at risk in the breach.

On LivingSocial’s website, the company provided a banner notice for customers to update their accounts.

Weinstein said that since the hack, customers were also notified in an email written by CEO Tim O’Shaughnessy to change their passwords.

O’Shaughnessy also advised customers to reset their passwords on other websites if they were similar to the ones they used on LivingSocial.

“The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future,” O’Shaughnessy wrote.

O’Shaughnessy also emailed his staff — who he referred to as LivingSocialities — to notify them of the hack.

“We need to do the right thing for our customers who place their trust in us,” he wrote, “We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.”

The hack is one in a recent string of online security breaches, including Facebook and Evernote.

On Tuesday, the Associated Press’ Twitter account was hacked, causing the stock market averages to briefly plunge and false reports of explosions at the White House to circulate.

LivingSocial said it was actively working with law enforcement to investigate the cyber attack. The company did not explain how the hack occurred.

Story by Alexis Shaw/ABC News

Read More From PCMag.com…

Cyber-attackers recently breached LivingSocial’s systems and illegally accessed customer information for more than 50 million users, LivingSocial said. Users need to change their passwords immediately.

As PCMag.com reported yesterday, LivingSocial sent data breach notification emails to all affected customers informing them of a cyber-attack which resulted in unauthorized access of customer data. More than 50 million accounts were potentially affected, according to LivingSocial, making this one of the largest password breaches this year.

It’s not clear at this time how the breach occurred and what other pieces of information were stolen. In these kinds of incidents, attackers typically break in by secretly installing malware on employee devices and then work their way around the network until they find sensitive systems, George Tubin, senior security strategist at Trusteer, told SecurityWatch.

Providers “should expect hackers to target their systems to obtain customer data or sensitive corporate information,” Tubin said. At this point, “it’s obvious that these providers are simply not doing enough to protect their customers’ information,” Tubin said.

Salted, Hashed Passwords Not Crack-Proof
It’s a good sign that LivingSocial had hashed and salted its passwords as that will slow down attackers somewhat, but “it won’t stop” the attackers from trying, and succeeding, in figuring out the original passwords, Ross Barrett, senior manager of security engineering at Rapid7, told SecurityWatch. While salting slows down the cracking process, “eventually the attackers or their network will get the information they’re after” Barrett said..

Hashing is a one-way encryption, where you always get the same output for a certain input, but it’s not possible to start with a hash and work out what the original string was. Attackers frequently rely on rainbow tables, a series of immense dictionaries containing every conceivable string (including dictionary words, common surnames, even song lyrics) and the relevant hash values. Attackers can match the hash from the password table with the rainbow table in order to find the original string that generated the code.

Salting refers to the process of adding extra information to the original input string before creating a hash. Since the attacker doesn’t know what the extra bits of data are, cracking the hashes becomes harder.

The problem, however, is that LivingSocial used SHA1 to generate the hash, a weak algorithm. Like MD5, another popular algorithm, SHA1 was designed to operate quickly and with a minimal amount of computing resources.

Considering recent advances in hardware and hacking technologies, SHA1 hashes, even salted, aren’t crack-proof. LivingSocial would have been better off with bcrypt, scrypt, or PBKDF-2.

Change Those Passwords Now
LivingSocial has preemptively reset passwords for all users and users should make sure to pick new passwords that aren’t being used anywhere else. Many people tend to reuse the same password across sites; if users used the LivingSocial password on other sites, they should change those passwords immediately as well. Once the passwords are cracked, attackers can try the passwords against popular services such as email, Facebook, and LinkedIn.

“These breaches are another reminder why it’s so important to maintain good password hygiene and use different passwords for all accounts and sites,” Barrett said.

Attackers can use also use dates of birth and names to craft phishing and other social engineering campaigns. They can reference these details to trick users into thinking these are legitimate messages. The stolen data will be “powering attacks for a very long time,” Barrett said.

The LivingSocial breach is “another reminder that organizations will continue to be targeted for their valuable customer data,” Barrett said.

By Fahmida Y. Rashid