The Inquirer-Home

Livingsocial tells 50 million users to reset passwords following hack

It is working with law enforcement
Mon Apr 29 2013, 15:13
malware virus security threat breach

DAILY DEALS WEBSITE Livingsocial is advising users to change their login details after experiencing a cyber attack that exposed the private data of up to 50 million users.

The Groupon style website acknowledged the hacking attack on Friday in an email the firm's CEO Tim Haughnessy sent to employees, and has now updated the homepage of its website requesting customers to create a new password in case they have been compromised as a result of the breach.

"Livingsocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," the daily deals website said.

"The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords - technically 'hashed' and 'salted' passwords. We never store passwords in plain text."

Livingsocial insisted that its database that stores customer credit card information was not affected or accessed.

"Although your Livingsocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one," the website added.

US Security firm Imperva believes the hacking was carried out via a web application attack such as SQL Injection or a framework based attack as a result of some unpatched software.

"Based on the data structure that Livingsocial said to have been hacked, it is very likely that the attack that was performed was an SQL Injection attack," Impervia said in a blog post.

"The very defined category/column data headers that were disclosed (names, addresses, emails, passwords which are hashed) describes a database table in a very clear form.

"Unfortunately the SQL Injection vector remains to date one of the most common and least handled security problems out there."

To try to prevent such attacks occurring in the future, security firms have advised websites similar to Livingsocial to install "compensating controls" such as a web application firewalls to help prevent attacks during the "window of exposure" hackers have between when a bug exists, the time it takes to be found and the time that there is a fix to block the security hole.

"Often hackers find their way to that bug way before the company does," Imperva added.

Although Livingsocial has 70 million members worldwide, it has said that only 50 million users potentially could have been compromised because the company uses different computer systems in Korea, Thailand, Indonesia and the Philippines. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?