Security Experts:

Connect with us

Hi, what are you looking for?



LivingSocial Hacked: Information of 50 Million Users Exposed

Daily deals site and Groupon competitor, LivingSocial, said on Friday that it had fallen victim to a cyber attack that put its roughly 50 million users at risk.

Daily deals site and Groupon competitor, LivingSocial, said on Friday that it had fallen victim to a cyber attack that put its roughly 50 million users at risk.

“LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers,” the company said in a brief note on its site while prompting users to reset their passwords.

According to an internal email from LivingSocial CEO Tim O’Shaughnessy obtained by, the attackers were able to access informing including names, email addresses, date of birth for some users, and passwords, which fortunately were hashed and salted.

“Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one,” the alert from LivingSocial continued.

The database that stores customer credit card information was not accessed by the attacker, the company said.

“These providers should expect hackers to target their systems to obtain customer data or sensitive corporate information,” George Tubin, senior security strategist at Trusteer told SecurityWeek.

Similar to other somewhat recent breaches that occurred at LinkedIn and Evernote, breaches like this give hackers access to massive amounts of sensitive user data in one single hit—that can be used in additional attacks down the road.

Ross Barrett, senior manager, security engineering at Boston-based Rapid7 agrees that attackers continue to target valuable customer data.

“The breach of 50 million passwords, birthdates and names from daily deal site LivingSocial is another reminder that organizations will continue to be targeted for their valuable customer data,” Barrett told SecurityWeek in an emailed statement.

“While it is good that the passwords stolen from LivingSocial are hashed and salted as this likely slow down the cracking process, it won’t stop it.”

In describing what happened following the LinkedIn breach, Barrett explained: “Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they’re after.”

“Hashing uses mathematical algorithms to create a seemingly random value, determined by the input (your password) which is difficult even for computers, to reverse,” Barrett explained. “Salting is an additional layer of security added on top of the encryption to make it more difficult – but not impossible – to decode.”

“Once the nature of the salt is determined, they can uncover the passwords much quicker,” Barrett said.

With financial information not exposed in this attack, some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing and social engineering attacks. For example, being able to send a targeted phishing message with the ability to address a user by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield.

“If you, like many people do, use the same password for other online accounts, change those ASAP,” Barrett said. “Once the passwords are uncovered, hackers will turn to popular sites like Facebook, LinkedIn, Gmail and so on. These breaches are another reminder why it’s so important to maintain good password hygiene and use different passwords for all accounts and sites.”

“In light of recent successful widespread attacks against major social networking sites, it’s obvious that these providers are simply not doing enough to protect their customers’ information,” Tubin added.

LivingSocial said they are actively working with law enforcement to investigate the incident but have not provided any additional details.

“It’s likely this user data will be powering attacks for a very long time,” Barrett said.

Related Reading: LinkedIn Breach: How a 6.5M Hole Could Sink a 160M Ship 

Updated: 04/29/13 at 6:55AM ET to reflect that Barrett’s comments were specific to the LinkedIn Data Breach, not the LivingSocial breach.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.