April 30, 2013

LivingSocial Hacked; Better Change Those Passwords


LivingSocial informed its millions of customers over the weekend that malicious hackers had compromised the popular coupon site’s computer systems, exposing the names, email addresses, dates of birth, and encrypted passwords of an unknown number of LivingSocial members.

living social

The good news is that, according to LivingSocial, user passwords were hashed and salted. In other words, the passwords were stored in an encrypted format that would make it very difficult – although not impossible – for the attackers to make sense of the password data they accessed. The company also claims that attackers did not breach a separate database on which they store customer credit card and other payment information.

Again, hashed passwords* are hard, but not impossible, to break. If you have an account on LivingSocial, then you should follow this link immediately and change your password over there. More importantly, if you used the same password for another site or sites, then you are going to want to go and change those passwords as well.

living social notificatoin

It’s almost getting to the point where attackers have to compromise payment information or find plain-text (unencrypted) passwords or something else humiliating on a hacked server for anyone to care. Consumers, the organizations that should be better protecting customer-data, and even some security professionals are all increasingly desensitized to these sorts of breaches. It didn’t used to be like this. At first, no one talked about data-breaches at all, then it got harder to sweep breaches under the rug, and companies had to come clean about them. Now we realize just how commonplace data breaches are and it’s very difficult to sustain the rage in the face of near-daily breaches.

If you have an account on LivingSocial, then you should immediately change your password. If you used the same password for another site or sites, then you are going to want to go and change those passwords as well.

Realize this though, because we all read about spear-phishing. In fact, we may read about spear phishing and phishing and water-holing and other social engineering attacks as often as we read about data breaches. Social engineering attacks in general rely on the attacker coming to possess a certain level knowledge about their targets. Where exactly do you think social engineers find email addresses for phishing attacks? How do they figure out the interests of their potential targets so they can launch successful watering-hole attacks? Why are these hackers so good at guessing passwords and password reset questions?

A lot of this information is gleaned from information ascertained by data breaches. To be fair, a lot of it is gathered from user’s openly over-posting information about themselves on social networks too, but that’s a topic for another day. People often hand over their corporate email addresses for various online services, and when the databases for those services are compromised, attackers now have email contacts that they can attempt to phish at a number of high-value organizations. Birth-dates can be valuable as well, because users often use their birthdates in their passwords or as part of their password reset questions. Obviously, if cracked, exposed password hashes can cause serious problems for users that insist on sharing passwords.

If you’re interested, and I am guessing you are on account of that fact that you are reading a blog designed to educate users about security, LivingSocial provided a surprisingly excellent explanation of what is commonly referred to as “salting and hashing” in the FAQ section of the data breach notification:

*“LivingSocial passwords were hashed with SHA1 using a random 40 byte salt. What this means is that our system took the passwords entered by customers and used an algorithm to change them into a unique data string (essentially creating a unique data fingerprint) – that’s the ‘hash.’ To add an additional layer of protection, the ‘salt’ elongates the password and adds complexity. We have switched our hashing algorithm from SHA1 to bcrypt.”