LivingSocial Hacked — More Than 50 Million Accounts Compromised

  • April 26, 2013

Just as we were thinking we were going to avoid any major enterprise compromises this week, LivingSocial announces that it has been compromised and some 50 million accounts have been compromised. Based on the reports, it doesn’t seem that any financial data is at risk, but things like usernames and passwords are all fair game.

To put this into perspective, if you think back to last years major compromise, LinkedIn, that was only 6 million accounts. The data compromised here is about 8.5 times that size.

That’s pretty freaking big.

Email to Clients

Subject: An important update on your LivingSocial.com account

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.
The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The database that stores customer credit card information was not affected or accessed.

Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.
For your security, please create a new password for your < > account by following the instructions below.

1. Visit LivingSocial.com
2. Click on the “Create a New Password” button (top right corner of the homepage)
3. Follow the steps to finish

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website — and require you to login — before making any changes to your account.

Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.

If you have additional questions about this process, the “Create a New Password” button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Tim O’Shaughnessy
CEO, LivingSocial

Email to Employees

Re: Security Incident
LivingSocialites –

This e-mail is important, so please read it to the end.

We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.
The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.
Two things you should know:

1. * The database that stores customer credit card information was not affected or accessed.
2. * The database that stores merchants’ financial and banking information was not affected or accessed.

The security of our customer and merchant information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

To ensure our customers and merchants are fully informed and protected, we are notifying those who may have been impacted via email explaining what happened, expiring their passwords, and requesting that they create new passwords. A copy of the note is included below this email.

If you have any questions or concerns, please visit Pulse –https://pulse.livingsocial.com/intranet/Home/more_updates.html — for a list of frequently asked questions. If you have additional questions that aren’t answered in the FAQs, please submit them via email to XXX@livingsocial.com.

Because we anticipate a high call volume and may not be able to answer or return all calls in a responsible fashion, we are likely to temporarily suspend consumer phone-based servicing. We will be devoting all available resources to our web-based servicing.

I apologize for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.

– Tim

What’s this mean to you?

Well, it means that attackers, if they can manage to crack the password hashes are bound to have one of the largest username / password lists out there. What makes it worst is that they have username, email, birthday and password combinations. For any attacker looking for a specific target, or for anyone looking to perform large scale attacks like the recent Brute Force attacks against WordPress sites, this is gold mine.

This also makes it really easy to attack things like Facebook, Twitter, MySpace, Flicker, etc.. ever hear of those companies?

If you’re not already, here are a few things you really should be doing:

  • Don’t use the same password on multiple sites
  • Rotate usernames and emails on each site
  • Try platform specific emails – (e.g.., perezbox-livingsocial@gmail.com)

First, no I don’t have a LivingSocial account, at least I don’t think I do.

Second, yes it’s annoying, but what’s the real impact if you use the same information across all your social media and financial institutions? I bet those 50 million people are thinking it’s a small price to pay right now.

Third, always employ good passwords. By good I mean: unique, random and long. At least that’s my preference. Can’t remember them? No problem, try things like password managers: 1Password and LastPass are my recommendations.

Lastly, if you haven’t already obviously update your LivingSocial password at a minimum and I would encourage you go through all your online properties and update those accounts as well. Especially if you like to use the same information on all of them, you know who you are.

Cheers.

Tony is the Head of Security Products at GoDaddy and Sucuri Co-Founder. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at perezbox.com and you can follow him on Twitter at @perezbox.

Related Tags
6 comments

  1. What are the implications if one has historically logged into Living Social via Facebook?

    1. I’m was wondering the same thing , and of course I’m trying to reset my pass in the living social dashboard but it claims to have to verify my email and that mail hasn’t shown up for some time ( 30 min )

  2. Ok, so, I have asked them to send me the link to reset my password in excess of 12 times, and they won’t send me the link. Now what? I have vouchers I have paid for and need to print?

Comments are closed.

Related Categories
You May Also Like