LivingSocial Says Cyberattack Puts Data Of 50 Million Customers At Risk

Shopping and deals site LivingSocial says all customers should change passwords; source of hack undisclosed

LivingSocial, an online shopping and deals website that supports some 50 million customers, said it has fallen victim to a cyberattack.

According to an email sent to LivingSocial employees and published by AllThingsD.com, the hack puts customers' personal data at risk, including names, emails, birthdates, and hashed and salted passwords.

The company said neither the database that stores customer credit card information nor the database that stores merchants' financial and banking information was affected.

Neither the email nor subsequent comments from LivingSocial spokespeople have revealed the exact nature of the attack. The email refers to "a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers." It states that the affected customers are being notified, and the site is recommending that the users change their passwords.

Experts around the industry said encrypting the passwords was a step in the right direction, but that LivingSocial may not be out of the woods. "The good news here is that apparently the passwords were encrypted. That will only be true, however, if attackers didn't obtain any keys at the same time," says Mark Bower, vice president at Voltage Security. "For the sake of the victims, let's hope that was done properly.

"There are data types [in the breach] that should really have been protected that weren't," Bower says. "Identity information, email addresses, and dates of birth are potentially sensitive in combination -- particularly in cases where password resets are based on 'secrets,' like date of birth, maiden names, and so on, as the answer to an identity verification question. So if the data used at this compromised site happens to also be used at other sites which use that verification method, it might now be possible to attack third-party accounts through password reset questions in some cases."

Ross Barrett, senior manager for security engineering at Rapid7, agreed. "While it is good that the passwords stolen from LivingSocial are hashed and salted, as this likely slow down the cracking process, it won't stop it," he says.

"In a similar situation last year, attackers broke into LinkedIn and stole 6.46 million passwords, which were hashed, but not salted. Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum, where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they're after."

Because of the size of the breach, many experts suggested it probably was to one of LivingSocial's databases, possibly through an exposed Web application vulnerability and/or SQL injection.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-16
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability.
PUBLISHED: 2019-01-16
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration helpurl settings allowed stored XSS.
PUBLISHED: 2019-01-16
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.
PUBLISHED: 2019-01-16
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability.
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.