LivingSocial hacked; 50 million affected
Hackers target LivingSocial, stealing the personal data of more than 50 million people in an enormous security breach.
Daily deals Web site LivingSocial is the latest database target for hackers, who have compromised the personal information of more than 50 million people.
In internal LivingSocial e-mails obtained by AllThingsD, the unknown culprits appear to have made off with the names, e-mails, birthdates, and encrypted passwords of what appears to be the vast majority of LivingSocial customers.
The Washington, D.C.-based site, owned in part by Amazon, claims around 70 million customers worldwide. The company's divisions in the Philippines, South Korea, Indonesia, and Thailand remain unaffected because they are hosted on different servers.
To put this breach in perspective, said Robert Hansen, director of Product Management & Technical Evangelist at WhiteHat Security, it's important to consider its scale. "If there are approximately a billion people on the Internet, this hack single-handedly represents about half a percent of all Internet users. This could be catastrophic, not for the accounts and credit cards that are stolen directly, but also because of password reuse of all of those millions of users. They should be changing their passwords immediately," he said.
In his e-mails, LivingSocial CEO Tim O'Shaughnessy wrote, "We recently experienced a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue."
He advised customers to create a new password. LivingSocial has subsequently reset customer passwords, although it's not clear if all customers' passwords were reset or just those who were affected by the hack.
One saving grace of the hack is that merchant and customer financial data, including credit card numbers, appears to have avoided the hackers' grasp. "The fact that the credit card information is stored separately is good, and I'm glad that they did that," Chris Wysopal, an information security expert at Veracode, said in a phone conversation with CNET today.
LivingSocial left many questions unanswered in its internal e-mails, including two key ones: What kind of attacks were used to get at the databases? How long ago did the attacks occur?
Given the type of data stolen, Wysopal said, it's likely that the attacks used a Web app to get at the site's SQL databases. "If it was a Web application, testing should've been better," he said.
"That's one of the frustrations out here in the professional security world," Wysopal said. "If we knew what the root causes were of these hacks, it would be easier to help companies improve their security."
LivingSocial declined to comment when asked for more information on the attacks. "We're not discussing timing or details on the attack due to the ongoing investigation taking place," a LivingSocial spokesperson wrote in an e-mail to CNET.
LivingSocial is only the latest in a string of high-profile Web companies who've suffered massive customer database breaches. In the past 18 months,, , and have all had their customer data compromised.
Although it's common during security attacks like these to feel helpless, Wysopal offered some concrete steps that individuals can take to protect themselves. Because it's not clear when the attack happened, he said, it's possible that "the hackers are well on their way to getting at your e-mail account. It's important to check your e-mail, see if it's been accessed from strange places, or if it's being forwarded to another account."
"If you're using the same password on multiple sites, now's the time to change them. Use a password manager like OnePass," he added. Other options include RoboForm, LastPass, and KeePass, among others.
Update, April 26 at 5:07 p.m. PT: Adds comment from WhiteHat Security representative Robert Hansen.
Correction, April 26 at 5:07 p.m. PT: This story misidentified the countries not affected by the breach. The correct list is South Korea, Philippines, Indonesia, and Thailand.
Correction, April 29 at 2:25 p.m. PT: Corrected the spelling of KeePass.