50,000,000 usernames and passwords lost as LivingSocial “special offers” site hacked

LivingSocial, the online offers site owned in largish part by Amazon, has just emailed its userbase, said to be 50,000,000-strong, to fess up to a data breach.

That’s right: another day, another shed-load of password hashes in the hands of crooks.

At least LivingSocial’s password database was salted and hashed, which reduces the impact of the breach a lot.

Naked Security reader Chris, from Melbourne, Australia, kindly sent us a copy of the notification email he received:

LivingSocial recently experienced a security breach on our computer systems that resulted in unauthorised access to some customer data from our servers. We are actively working with the authorities to investigate this issue.

The information accessed includes names, email addresses, the date of birth of some users, and encrypted passwords; technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

To revise password storage quickly: don’t store the actual password.

Store a random string of characters instead, combine the password and this random string (that’s “salting” the string to vary its flavour), and pass the salted password through a non-reversible cryptographic function to get a message digest code (that’s “hashing” the data by slicing, dicing and stirring together the salted input in a digital mixing bowl).

A crook can check to see if your password is, say, s3cr3cy by salting-and-hashing himself, but he has to start with a guess, because he can’t go back from the hash to your password.

That’s why easy-to-guess passwords are bad: the crooks crack them first.

→ You often hear the term “hashed and salted”, as in the email above, but technically you salt and then hash, otherwise the salt wouldn’t get mixed into the hash calculation.

The silver lining I’m always determined to find when SNAFUs like this occur is that LivingSocial took the opportunity to sneak an additional, and pertinent, security reminder into its breach notification:

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

Good advice, not least because cybercrooks love to take security announcements, from patches and updates to breach notifications, and use them to try to get new victims on the hook.

And it’s just when you’re expecting a notification from a company you do business with that you are at the greatest risk of believing emails that you’d probably discard out of hand at any other time.

→ Never click on login links contained in emails. A reputable company will never send you such emails, precisely so you can assume that all email-borne login links are bogus, and ignore them. The same sort of reason why many jurisdictions require game hunters, whom you’d expect to sneak around in camouflage, to wear conspicuously lurid and unnatural-looking jackets. If you’re dressed entirely unlike any other animal on Planet Earth, you won’t be mistaken for one.

If you read LivingSocial’s online warning, you will see a further suggestion on what to do next:

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

That’s also good advice, but a few more words would have made it even better: if you’ve used the same password on multiple sites, change the passwords on those sites so that they are all different.

And if you are in the habit of re-using passwords, don’t wait until one of your accounts gets hacked before you go and change all those common passwords.

The whole idea of using different passwords on different sites is to avoid what you might call a “race to the bottom,” where all your logins end up as insecure as the slackest, sloppiest, weakest site on the list.

And if you struggle to come up with decent passwords, fear not: here’s how to do it:

(Enjoy this video? Check out the SophosLabs YouTube channel!)