Security Experts:

LivingSocial Hacked: Information of 50 Million Users Exposed

Daily deals site and Groupon competitor, LivingSocial, said on Friday that it had fallen victim to a cyber attack that put its roughly 50 million users at risk.

“LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers,” the company said in a brief note on its site while prompting users to reset their passwords.

According to an internal email from LivingSocial CEO Tim O’Shaughnessy obtained by AllThingsD.com, the attackers were able to access informing including names, email addresses, date of birth for some users, and passwords, which fortunately were hashed and salted.

“Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one,” the alert from LivingSocial continued.

The database that stores customer credit card information was not accessed by the attacker, the company said.

“These providers should expect hackers to target their systems to obtain customer data or sensitive corporate information,” George Tubin, senior security strategist at Trusteer told SecurityWeek.

Similar to other somewhat recent breaches that occurred at LinkedIn and Evernote, breaches like this give hackers access to massive amounts of sensitive user data in one single hit—that can be used in additional attacks down the road.

Ross Barrett, senior manager, security engineering at Boston-based Rapid7 agrees that attackers continue to target valuable customer data.

“The breach of 50 million passwords, birthdates and names from daily deal site LivingSocial is another reminder that organizations will continue to be targeted for their valuable customer data,” Barrett told SecurityWeek in an emailed statement.

“While it is good that the passwords stolen from LivingSocial are hashed and salted as this likely slow down the cracking process, it won’t stop it.”

In describing what happened following the LinkedIn breach, Barrett explained: “Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they’re after.”

“Hashing uses mathematical algorithms to create a seemingly random value, determined by the input (your password) which is difficult even for computers, to reverse,” Barrett explained. “Salting is an additional layer of security added on top of the encryption to make it more difficult – but not impossible – to decode.”

“Once the nature of the salt is determined, they can uncover the passwords much quicker,” Barrett said.

With financial information not exposed in this attack, some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing and social engineering attacks. For example, being able to send a targeted phishing message with the ability to address a user by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield.

“If you, like many people do, use the same password for other online accounts, change those ASAP,” Barrett said. “Once the passwords are uncovered, hackers will turn to popular sites like Facebook, LinkedIn, Gmail and so on. These breaches are another reminder why it’s so important to maintain good password hygiene and use different passwords for all accounts and sites.”

“In light of recent successful widespread attacks against major social networking sites, it's obvious that these providers are simply not doing enough to protect their customers' information,” Tubin added.

LivingSocial said they are actively working with law enforcement to investigate the incident but have not provided any additional details.

“It’s likely this user data will be powering attacks for a very long time,” Barrett said.

Related Reading: LinkedIn Breach: How a 6.5M Hole Could Sink a 160M Ship 

Updated: 04/29/13 at 6:55AM ET to reflect that Barrett's comments were specific to the LinkedIn Data Breach, not the LivingSocial breach.

Subscribe to the SecurityWeek Email Briefing
view counter
view counter