LivingSocial confirms hacking; More than 50 million accounts affected

LivingSocial confirms hacking; More than 50 million accounts affected

Summary: UPDATED: LivingSocial is the latest major online property to be hacked. Here are more details about what to do next from company leaders.

SHARE:
security-lock-abstract

Following reports earlier on Friday, LivingSocial confirmed that it is has been the victim of a major cyber attack.

See also: Twitter 'rolling out two-factor authentication soon'

The Washington, D.C.-based business asserted via email that is already in the process of notifying more than 50 million customers whose data may have been affected by the cyber-attack.

Those emails started going out this afternoon, and company reps assured that it will continue until all customers have been reached.

The hacking spans borders, affecting members of the Amazon-owned property worldwide -- except in Thailand, Malaysia, Indonesia, and the Philippines because TicketMonster and Ensogo use different data systems.

LivingSocial PR responded to our request and provided copies of the following two emails to serve as the daily deal company's official statements.

UPDATE: LivingSocial followed up and issued a correction to its earlier comments. The affected server contained data on all of LivingSocial's worldwide users except those in Korea, Thailand, Indonesia and the Philippines -- NOT Malaysia. Malaysia data was on the hacked server.

E-MAIL FROM TIM O'SHAUGHNESSY TO EMPLOYEES

Re:  Security Incident

LivingSocialites –

This e-mail is important, so please read it to the end.

We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

Two things you should know:

    The database that stores customer credit card information was not affected or accessed.

    The database that stores merchants’ financial and banking information was not affected or accessed.

The security of our customer and merchant information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

To ensure our customers and merchants are fully informed and protected, we are notifying those who may have been impacted via email explaining what happened, expiring their passwords, and requesting that they create new passwords. A copy of the note is included below this email.

If you have any questions or concerns, please visit Pulse - https://pulse.livingsocial.com/intranet/Home/more_updates.html - for a list of frequently asked questions. If you have additional questions that aren’t answered in the FAQs, please submit them via email to [NAME REDACTED]@livingsocial.com.

Because we anticipate a high call volume and may not be able to answer or return all calls in a responsible fashion, we are likely to temporarily suspend consumer phone-based servicing. We will be devoting all available resources to our web-based servicing.

I apologize for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.

- Tim

_______________________________

CUSTOMER E-MAIL

Subject:  An important update on your LivingSocial.com account

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The database that stores customer credit card information was not affected or accessed.

Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.

For your security, please create a new password for your <<email_address>> account by following the instructions below.

    Visit LivingSocial.com

    Click on the "Create a New Password" button (top right corner of the homepage)

    Follow the steps to finish

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.

If you have additional questions about this process, the "Create a New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Tim O'Shaughnessy

CEO, LivingSocial

Topics: Security, Privacy, Start-Ups, Tech Industry, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • The problem all started from people using

    Windows 8.....the leek was found in one of those flashing tiles used in Surface RT - Metro UI.
    Over and Out
    • Windows 8 has vegetables?

      Must be good for you.
      gfeier
      • story is nice, , 1 week

        story is nice, , 1 week ago my mum's best friend basically also earnt $5998 sitting there a ninteen hour week in their apartment and their buddy's step-aunt`s neighbour has been doing this for six months and got a cheque for more than $5998 parttime from there labtop. use the guidelines from this address,, >> http://qr.net/kiS8
        bhaitoqeer
    • ^^^No^^^

      Anyway...

      It's both bad and good that things like this happen. On the one hand thieves have your data. Bad? Yes, but apart from your passwords it's freely available. So it's bad if anyone doesn't manage to change their password

      And I suppose there's no good news, but there is a silver lining. Here it is;

      If you've read this and you use the following:
      -Same password ON ANY TWO WEBSITES
      -You change your password by putting a 1 at the end
      -You comply to capital letter requirements by making the first letter of your ordinary password capital
      -You use a name
      -You use the password "Pa55word" or any common word with numbers for letters.
      -You use a stupidly obvious password reminder "date of birth"
      -Actually extend that - no dates of birth.
      -Any part of your password has 123 in it
      -you use the same password only changing it for that account "Go_hotmail" "Go_yahoo"
      -you store your passwords in any computer file.

      Your mission for this weekend is to
      -buy a notepad
      -Make a new password for every site
      -write them on notepad
      -keep notepad somewhere not near your computer.


      If this seems too difficult or annoying
      -delete all online accounts.
      MarknWill
      • Ps

        This may seem obvious but don't write them in notepad like this

        Facebook password = *********
        Gmail password = ********
        MarknWill
        • Pssss

          Darn it! No wonder my passwords don't work. I thought ********* was the password.
          bump911
    • Hard to take you serious.

      It's hard to take anyone serious that spells leak "leek", plus where is the evidence that the breach was related to Windows? Last I heard RT ran on ARM, not typically found in servers. Furthermore, Windows RT isn't a server OS.
      Zdnet needs better trolls.
      JustWow2000
  • Protect your electronic communications

    ThreadThat dot com provides free, easy-to-use, end-to-end encrypted electronic communications. You have the option to prevent password resets so that hackers cannot take control of your TT account. This is especially important when sharing sensitive information electronically.
    MrPrivacy
  • Passwords in computer files or tables

    How many passwords can you remember.

    I made a table of mine and it has 437 items. If I have a different one for every account, website, or blog I am associated with then I will forget 90% of them overnight. Thus, the use of a table.

    A written notepad with them is ludicrous, there would be no organization to the list. The only other reasonable solution would be a notebook with one page for each site, thus they can be organized alphabetically.

    In my case, the 437 pages requires a 2 1/2" wide notebook. Of course lug it with me to use my smartphone or laptop away from home. And, being retired I don't have any employment related sites or accounts which would be enough to make it a 3" notebook. (When I retired I purged over 100 County, State, Federal and Commercial accounts and other access codes from my list.)

    How big would your notebook be?
    320vu50@...
    • there is already business in that

      The 1password and similar solutions. It's quite good, if you trust any of their security. Or the security of their technology providers such as Dropbox.
      danbi
  • Apparently They Used A Cryptographic Hash Instead Of A Password Hash

    They didn't follow best practice to ensure that passwords would be hard to crack. But Ars Technica is reporting they have now changed their policy.
    ldo17
  • Why Did They Need Date of Birth?

    What I really blame them for is for asking for more personal information than they needed. If they want a year of birth, fine, but there is no reason they should ask for the whole date of birth. All sites that demand too much information should be held fully responsible. They should only ask for what they really need and keep that encrypted and in separate databases.
    randallian