Daily deals site LivingSocial has sent an email to 50 million customers warning them about a successful cyberattack on the company’s servers. Although the hackers didn’t get any credit card numbers, they did get users’ names, email addresses, birthdays and passwords, which were stored in a salted and hashed form. Users are advised to change their passwords.
USA Today’s Mike James reported, “LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyberattack on its computer systems, according to officials at the company. The breach has impacted 50 million customers of the Washington, D.C.-based company, who will now be required to reset their passwords. All of LivingSocial’s countries across the world appear to have been affected, except in Thailand, Korea, Indonesia and the Philippines.”
All Things D quoted the email that was sent to customers, which said, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text. The database that stores customer credit card information was not affected or accessed. Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.”
SecurityWatch’s Fahmida Y. Rashid noted, “It’s a good sign that LivingSocial had hashed and salted its passwords as that will slow down attackers somewhat, but ‘it won’t stop’ the attackers from trying, and succeeding, in figuring out the original passwords, Ross Barrett, senior manager of security engineering at Rapid7, told SecurityWatch. While salting slows down the cracking process, ‘eventually the attackers or their network will get the information they’re after,’ Barrett said.”
But PCWorld’s Tony Bradley warned, “The compromised password is only one facet of your risk, and that’s why changing your password won’t really save you. With access to this account, the attackers have your name, your email address, and your birth date. That’s enough information to get them started down the path of stealing your identity. Fortunately, mailing addresses and social security numbers were not compromised; otherwise, the criminals would have everything the need to wreak even more havoc. Stay on alert and pay attention to your email, bank accounts, credit report, and other resources that will alert you if something suspicious is going on with your identity. Don’t make the mistake of thinking it’s as simple as changing your password.”