Millions of Livingsocial Users Now Prime Phishing Targets
Apr 29, 2013 11:03 AM PT
LivingSocial's customers received some bad news on Friday: The popular daily deal site had been hacked, compromising some 50 million members' customer data.
There was some good news -- credit card data was not affected, the company promised in its notice to customers. Also, the Facebook credentials of users who connected to LivingSocial using Facebook Connect were not compromised.
The bad news is that the data the thieves did obtain almost certainly will be used in phishing attempts and other tactics to try to access users' financial accounts. The information obtained includes names, email addresses, some birth dates and encrypted passwords.
LivingSocial said it was actively working with law enforcement to investigate the breach.
Little has been revealed to the public about the mechanics of the hack, other than it made it past LivingSocial's security protections.
The site's passwords were hashed with SHA1 using a random 40 byte salt, LivingSocial said in its FAQ about the event -- meaning its system took the passwords entered by customers and used an algorithm to change them into a unique data string. Then the password was elongated. LivingSocial has switched its hashing algorithm from SHA1 to bcrypt.
Most probably, the breach was the result of an SQL Injection vulnerability, speculated Chris Eng, vice president of research at Veracode.
"It's likely they've identified the root cause by now and are ensuring they understand the extent of the damage," he told the E-Commerce Times.
LivingSocial obviously had the appropriate network-monitoring procedures in place to confirm that the databases containing customer credit cards and merchant information were unaffected.
"Keeping that information segmented to begin with was a good move on their part," Eng said.
What Consumers Can Do
That will be little comfort to users who have to go through the trouble of changing their password -- as LivingSocial advises -- or several passwords if they use the same one for multiple accounts.
That must be done, though, said Grace Zeng, research analyst at SilverSky.
"Now that 50 million peoples' names associated with email addresses and even birthdates are in the wrong hands, I would expect to see waves of spamming -- especially phishing attacks -- coming to affected customers," she told the E-Commerce Times.
It is not just consumers who have to be worried, said Tom Cross, director of security research at Lancope.
Enterprises should consider the possibility that employees may have used the same password on LivingSocial that they use to access their work email and VPN accounts, he told the E-Commerce Times.
"IT security teams should be proactively hunting for weak passwords in their networks, and they should assess the capabilities that they have for identifying compromised accounts," Cross advised.
The bigger concern for enterprises is making sure their own customer databases are not hacked in a similar manner.
"While we do not have details regarding how the hackers were able to access this data, it is revealing that so many hacks and breaches are occurring, even for companies that held mature security policies," noted Seth Goldhammer, director of product management at LogRhythm.
"Companies need to reevaluate their security strategies and ensure they have a well-rounded approach that assumes that it is no longer a question of if they will be hacked, but when," he told the E-Commerce Times.
Besides investing in prevention and hardening their policies and systems, companies should invest in technologies that help them discover what happened after the fact, Goldhammer suggested. "Technologies that can not only monitor but provide both real-time analytics and tools for historic forensic investigation will allow companies better insight to discover these breaches before it could be too late."