LivingSocial confirms hacking; More than 50 million accounts affected

Summary:UPDATED: LivingSocial is the latest major online property to be hacked. Here are more details about what to do next from company leaders.

security-lock-abstract

Following reports earlier on Friday, LivingSocial confirmed that it is has been the victim of a major cyber attack.

See also: Twitter 'rolling out two-factor authentication soon'

The Washington, D.C.-based business asserted via email that is already in the process of notifying more than 50 million customers whose data may have been affected by the cyber-attack.

Those emails started going out this afternoon, and company reps assured that it will continue until all customers have been reached.

The hacking spans borders, affecting members of the Amazon-owned property worldwide -- except in Thailand, Malaysia, Indonesia, and the Philippines because TicketMonster and Ensogo use different data systems.

LivingSocial PR responded to our request and provided copies of the following two emails to serve as the daily deal company's official statements.

UPDATE: LivingSocial followed up and issued a correction to its earlier comments. The affected server contained data on all of LivingSocial's worldwide users except those in Korea, Thailand, Indonesia and the Philippines -- NOT Malaysia. Malaysia data was on the hacked server.

E-MAIL FROM TIM O'SHAUGHNESSY TO EMPLOYEES

Re:  Security Incident

LivingSocialites –

This e-mail is important, so please read it to the end.

We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

Two things you should know:

    The database that stores customer credit card information was not affected or accessed.

    The database that stores merchants’ financial and banking information was not affected or accessed.

The security of our customer and merchant information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

To ensure our customers and merchants are fully informed and protected, we are notifying those who may have been impacted via email explaining what happened, expiring their passwords, and requesting that they create new passwords. A copy of the note is included below this email.

If you have any questions or concerns, please visit Pulse - https://pulse.livingsocial.com/intranet/Home/more_updates.html - for a list of frequently asked questions. If you have additional questions that aren’t answered in the FAQs, please submit them via email to [NAME REDACTED]@livingsocial.com.

Because we anticipate a high call volume and may not be able to answer or return all calls in a responsible fashion, we are likely to temporarily suspend consumer phone-based servicing. We will be devoting all available resources to our web-based servicing.

I apologize for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.

- Tim

_______________________________

CUSTOMER E-MAIL

Subject:  An important update on your LivingSocial.com account

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The database that stores customer credit card information was not affected or accessed.

Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.

For your security, please create a new password for your <<email_address>> account by following the instructions below.

    Visit LivingSocial.com

    Click on the "Create a New Password" button (top right corner of the homepage)

    Follow the steps to finish

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.

If you have additional questions about this process, the "Create a New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Tim O'Shaughnessy

CEO, LivingSocial

Topics: Security, Privacy, Social Enterprise, Start-Ups, Tech Industry

About

Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider, FastCompany.com, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for MainStreet.com, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.