50,000,000 usernames and passwords lost as LivingSocial "special offers" site hacked

Filed Under: Data loss, Featured

LivingSocial, the online offers site owned in largish part by Amazon, has just emailed its userbase, said to be 50,000,000-strong, to fess up to a data breach.

That's right: another day, another shed-load of password hashes in the hands of crooks.

At least LivingSocial's password database was salted and hashed, which reduces the impact of the breach a lot.

Naked Security reader Chris, from Melbourne, Australia, kindly sent us a copy of the notification email he received:

LivingSocial recently experienced a security breach on our computer systems that resulted in unauthorised access to some customer data from our servers. We are actively working with the authorities to investigate this issue.

The information accessed includes names, email addresses, the date of birth of some users, and encrypted passwords; technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

To revise password storage quickly: don't store the actual password.

Store a random string of characters instead, combine the password and this random string (that's "salting" the string to vary its flavour), and pass the salted password through a non-reversible cryptographic function to get a message digest code (that's "hashing" the data by slicing, dicing and stirring together the salted input in a digital mixing bowl).

A crook can check to see if your password is, say, s3cr3cy by salting-and-hashing himself, but he has to start with a guess, because he can't go back from the hash to your password.

That's why easy-to-guess passwords are bad: the crooks crack them first.

→ You often hear the term "hashed and salted", as in the email above, but technically you salt and then hash, otherwise the salt wouldn't get mixed into the hash calculation.

The silver lining I'm always determined to find when SNAFUs like this occur is that LivingSocial took the opportunity to sneak an additional, and pertinent, security reminder into its breach notification:

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

Good advice, not least because cybercrooks love to take security announcements, from patches and updates to breach notifications, and use them to try to get new victims on the hook.

And it's just when you're expecting a notification from a company you do business with that you are at the greatest risk of believing emails that you'd probably discard out of hand at any other time.

→ Never click on login links contained in emails. A reputable company will never send you such emails, precisely so you can assume that all email-borne login links are bogus, and ignore them. The same sort of reason why many jurisdictions require game hunters, whom you'd expect to sneak around in camouflage, to wear conspicuously lurid and unnatural-looking jackets. If you're dressed entirely unlike any other animal on Planet Earth, you won't be mistaken for one.

If you read LivingSocial's online warning, you will see a further suggestion on what to do next:

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

That's also good advice, but a few more words would have made it even better: if you've used the same password on multiple sites, change the passwords on those sites so that they are all different.

And if you are in the habit of re-using passwords, don't wait until one of your accounts gets hacked before you go and change all those common passwords.

The whole idea of using different passwords on different sites is to avoid what you might call a "race to the bottom," where all your logins end up as insecure as the slackest, sloppiest, weakest site on the list.

And if you struggle to come up with decent passwords, fear not: watch fellow writer Graham Cluley's venerable and amusing video, which gives you a surprisingly easy and effective technique to stay off the "easily guessed" password lists.

(Enjoy this video? Check out the SophosLabs YouTube channel!)

, , , , , ,

You might like

6 Responses to 50,000,000 usernames and passwords lost as LivingSocial "special offers" site hacked

  1. Unsure · 362 days ago

    I received this email from them but don't recall the password since I don't even recognize their name. Anyhow when I went to their site and input my email address it stated that I "had never set up an account, even though I'm signed up to receive their emails."

    Would this mean that I don't have a password stored with them, even if perhaps I ordered something through their email ads in the past?

    • Paul Ducklin · 362 days ago

      Hmmm, Unsure, I'm unsure :-)

      If you don't know your password for the service, and indeed don't even seem to have an account...then you can't follow their advice and change anything, and you can't close your account.

      Presumably you are in a database somewhere, but not apparently one associated with a functioning login.

      If you've never been in the habit of reusing passwords (or if you were and have now changed *and diversified* all the passwords you do know about) then I'd suggest you can just shrug the whole thing off.

    • Nickster · 361 days ago

      They have a "connect with facebook" option, so you maybe you got in that way ?

  2. Fred Ellsworth · 362 days ago

    I'd just like to say thanks because as a budding computer forensic, your blog is a great resource and I find the articles really interesting and well written, Keep it up! :)

    Out of interest, what would be the likelihood/difficulty in "passing the hash" on a website such as this, and how much realistically have the "hackers" been thwarted by the Hash process?

    • Paul Ducklin · 362 days ago

      "Pass the hash" is something slightly different. It relates to Windows-style authentication, where a hash is exchanged over the network as part of the login process, so that the cleartext password isn't. That's a hash used as a way of maintaining password secrecy *in transit*.

      In the use of hashes described above, the hash never goes over the network - the actual password does. So the secrecy of the password in transit relies on HTTPS (secure HTTP).

      The hash in the example above is used to maintain password securcy *at rest*. You send the password over a secure channel (HTTPS), convert it to a hash in memory on the server, and compare with what's on disk on the server. So the raw password never needs to be saved on disk.

      The hash can't be "replayed" in this case, because it isn't sent from client to server as part of the protocol. So the hash is only useful in letting you verify your efforts to guess the password. It can't be used in lieu of the password.

  3. Leo · 361 days ago

    Does livingsocial have this under control now? Or is it still unsafe to log on to their website? Also, I just want to verify which password I used for this livingsocial website because I DO have an account. That way, I can make sure no other accounts on any other websites I use uses that same password. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog