Friday, April 26, 2013

Living Social Hacked: security breach leaves 50 million users compromised

Living Social Hacked: security breach leaves 50 million users compromised
Living Social Hacked: security breach leaves
50 million users compromised
I'm not sure how much we have in common, but I'm pretty sure neither of us would want to receive this email at 7:16 PM on a Friday evening.

But sadly, I did.  Right before I dropped some delicious BBQ onto the grill to celebrate the kick off of Festival International de Louisiane, I heard a little ding from my email client notifying me of an important message (you may have gotten one too).

It would seem I am one of the 50 million or so LivingSocial registered users whose account information was compromised in an cyber-attack on their computer systems in which attackers gained access to sensitive personal information about LivingSocial's customers (namely, me).

The breach appears to have been contained, though there are only scant details about the attack being released from LinkedIn at this time.

The information that was accessed includes (but note they do not say "is limited to," which means additional information may have been accessedCustomer Names, User email addresses, Birthdates (only for some users, not all 50 million, WHEW), and encrypted passwords.

Living Social Hacked: Data of 50 Million Affected
Fortunately, LivingSocial doesn't store plain text passwords in their database system and use a salting / hashing system to enhance security.

Also, at least according to the official announcement from LivingSocial, the database that stores user credit card information was not "affected or accessed" by the attackers.  And, thankfully, if you login to LivingSocial using Facebook Connect, your Facebook credentials "were not compromised."

It is reassuring to note that they seemed to respond quickly to the breach with their public statement and emails to affected customers (it takes a while to deliver 50 million emails, even when you're LivingSocial).  Even so, if you were one of the affected users, you should head over to LivingSocial to reset your password right away.  Or delete your account, I suppose.

The traditional Business & Tech news outlets have been running some pretty extensive coverage for a Friday night announcement of a website hack, and if you're curious to learn more head over to CNBCCNET, PCMag, or LifeHacker to see their reporting about the security breach.  

Personally, I'm going to Festival International de Louisiane to celebrate my LivingSocial troubles away.

Here's the full text of the email I received at 7:16 PM CST & 11:36 PM CST April 26, 2013:
IMPORTANT INFORMATION
LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.
The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.
Two things you should know:
  1. The database that stores customer credit card information was not affected or accessed.

  2. If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised.
You do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened.
The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.
Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.
If you have additional questions about this process, the "Create New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.
We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.
Sincerely, 
Tim O'Shaughnessy, CEO