02:27 PM

LivingSocial Says Cyberattack Puts Data Of 50 Million Customers At Risk

Shopping and deals site LivingSocial says all customers should change passwords; source of hack undisclosed

LivingSocial, an online shopping and deals website that supports some 50 million customers, said it has fallen victim to a cyberattack.

According to an email sent to LivingSocial employees and published by AllThingsD.com, the hack puts customers' personal data at risk, including names, emails, birthdates, and hashed and salted passwords.

The company said neither the database that stores customer credit card information nor the database that stores merchants' financial and banking information was affected.

Neither the email nor subsequent comments from LivingSocial spokespeople have revealed the exact nature of the attack. The email refers to "a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers." It states that the affected customers are being notified, and the site is recommending that the users change their passwords.

Experts around the industry said encrypting the passwords was a step in the right direction, but that LivingSocial may not be out of the woods. "The good news here is that apparently the passwords were encrypted. That will only be true, however, if attackers didn't obtain any keys at the same time," says Mark Bower, vice president at Voltage Security. "For the sake of the victims, let's hope that was done properly.

"There are data types [in the breach] that should really have been protected that weren't," Bower says. "Identity information, email addresses, and dates of birth are potentially sensitive in combination -- particularly in cases where password resets are based on 'secrets,' like date of birth, maiden names, and so on, as the answer to an identity verification question. So if the data used at this compromised site happens to also be used at other sites which use that verification method, it might now be possible to attack third-party accounts through password reset questions in some cases."

Ross Barrett, senior manager for security engineering at Rapid7, agreed. "While it is good that the passwords stolen from LivingSocial are hashed and salted, as this likely slow down the cracking process, it won't stop it," he says.

"In a similar situation last year, attackers broke into LinkedIn and stole 6.46 million passwords, which were hashed, but not salted. Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum, where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they're after."

Because of the size of the breach, many experts suggested it probably was to one of LivingSocial's databases, possibly through an exposed Web application vulnerability and/or SQL injection.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-08-14
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (A...
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.