02:27 PM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
Repost This

LivingSocial Says Cyberattack Puts Data Of 50 Million Customers At Risk

Shopping and deals site LivingSocial says all customers should change passwords; source of hack undisclosed

LivingSocial, an online shopping and deals website that supports some 50 million customers, said it has fallen victim to a cyberattack.

According to an email sent to LivingSocial employees and published by AllThingsD.com, the hack puts customers' personal data at risk, including names, emails, birthdates, and hashed and salted passwords.

The company said neither the database that stores customer credit card information nor the database that stores merchants' financial and banking information was affected.

Neither the email nor subsequent comments from LivingSocial spokespeople have revealed the exact nature of the attack. The email refers to "a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers." It states that the affected customers are being notified, and the site is recommending that the users change their passwords.

Experts around the industry said encrypting the passwords was a step in the right direction, but that LivingSocial may not be out of the woods. "The good news here is that apparently the passwords were encrypted. That will only be true, however, if attackers didn't obtain any keys at the same time," says Mark Bower, vice president at Voltage Security. "For the sake of the victims, let's hope that was done properly.

"There are data types [in the breach] that should really have been protected that weren't," Bower says. "Identity information, email addresses, and dates of birth are potentially sensitive in combination -- particularly in cases where password resets are based on 'secrets,' like date of birth, maiden names, and so on, as the answer to an identity verification question. So if the data used at this compromised site happens to also be used at other sites which use that verification method, it might now be possible to attack third-party accounts through password reset questions in some cases."

Ross Barrett, senior manager for security engineering at Rapid7, agreed. "While it is good that the passwords stolen from LivingSocial are hashed and salted, as this likely slow down the cracking process, it won't stop it," he says.

"In a similar situation last year, attackers broke into LinkedIn and stole 6.46 million passwords, which were hashed, but not salted. Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum, where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they're after."

Because of the size of the breach, many experts suggested it probably was to one of LivingSocial's databases, possibly through an exposed Web application vulnerability and/or SQL injection.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web