02:27 PM

LivingSocial Says Cyberattack Puts Data Of 50 Million Customers At Risk

Shopping and deals site LivingSocial says all customers should change passwords; source of hack undisclosed

LivingSocial, an online shopping and deals website that supports some 50 million customers, said it has fallen victim to a cyberattack.

According to an email sent to LivingSocial employees and published by AllThingsD.com, the hack puts customers' personal data at risk, including names, emails, birthdates, and hashed and salted passwords.

The company said neither the database that stores customer credit card information nor the database that stores merchants' financial and banking information was affected.

Neither the email nor subsequent comments from LivingSocial spokespeople have revealed the exact nature of the attack. The email refers to "a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers." It states that the affected customers are being notified, and the site is recommending that the users change their passwords.

Experts around the industry said encrypting the passwords was a step in the right direction, but that LivingSocial may not be out of the woods. "The good news here is that apparently the passwords were encrypted. That will only be true, however, if attackers didn't obtain any keys at the same time," says Mark Bower, vice president at Voltage Security. "For the sake of the victims, let's hope that was done properly.

"There are data types [in the breach] that should really have been protected that weren't," Bower says. "Identity information, email addresses, and dates of birth are potentially sensitive in combination -- particularly in cases where password resets are based on 'secrets,' like date of birth, maiden names, and so on, as the answer to an identity verification question. So if the data used at this compromised site happens to also be used at other sites which use that verification method, it might now be possible to attack third-party accounts through password reset questions in some cases."

Ross Barrett, senior manager for security engineering at Rapid7, agreed. "While it is good that the passwords stolen from LivingSocial are hashed and salted, as this likely slow down the cracking process, it won't stop it," he says.

"In a similar situation last year, attackers broke into LinkedIn and stole 6.46 million passwords, which were hashed, but not salted. Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum, where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they're after."

Because of the size of the breach, many experts suggested it probably was to one of LivingSocial's databases, possibly through an exposed Web application vulnerability and/or SQL injection.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Executive Editor, Technical Content,  3/20/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.