Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

LivingSocial Says Cyberattack Puts Data Of 50 Million Customers At Risk

Shopping and deals site LivingSocial says all customers should change passwords; source of hack undisclosed

LivingSocial, an online shopping and deals website that supports some 50 million customers, said it has fallen victim to a cyberattack.

According to an email sent to LivingSocial employees and published by AllThingsD.com, the hack puts customers' personal data at risk, including names, emails, birthdates, and hashed and salted passwords.

The company said neither the database that stores customer credit card information nor the database that stores merchants' financial and banking information was affected.

Neither the email nor subsequent comments from LivingSocial spokespeople have revealed the exact nature of the attack. The email refers to "a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers." It states that the affected customers are being notified, and the site is recommending that the users change their passwords.

Experts around the industry said encrypting the passwords was a step in the right direction, but that LivingSocial may not be out of the woods. "The good news here is that apparently the passwords were encrypted. That will only be true, however, if attackers didn't obtain any keys at the same time," says Mark Bower, vice president at Voltage Security. "For the sake of the victims, let's hope that was done properly.

"There are data types [in the breach] that should really have been protected that weren't," Bower says. "Identity information, email addresses, and dates of birth are potentially sensitive in combination -- particularly in cases where password resets are based on 'secrets,' like date of birth, maiden names, and so on, as the answer to an identity verification question. So if the data used at this compromised site happens to also be used at other sites which use that verification method, it might now be possible to attack third-party accounts through password reset questions in some cases."

Ross Barrett, senior manager for security engineering at Rapid7, agreed. "While it is good that the passwords stolen from LivingSocial are hashed and salted, as this likely slow down the cracking process, it won't stop it," he says.

"In a similar situation last year, attackers broke into LinkedIn and stole 6.46 million passwords, which were hashed, but not salted. Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum, where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they're after."

Because of the size of the breach, many experts suggested it probably was to one of LivingSocial's databases, possibly through an exposed Web application vulnerability and/or SQL injection.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3331
PUBLISHED: 2021-01-27
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
CVE-2021-3326
PUBLISHED: 2021-01-27
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-22641
PUBLISHED: 2021-01-27
A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22653
PUBLISHED: 2021-01-27
Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22655
PUBLISHED: 2021-01-27
Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).