April 27, 2013
LivingSocial Falls Victim to Cyber-Attack
By Ed Silverstein, TMCnet Contributor
The well-known daily-deals site LivingSocial (News - Alert) has some troubling news for 70 percent of its members – a massive 50 million accounts were compromised by hackers.
The still-unidentified hackers got access to “names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords,” according to a company internal memo released on Friday. (Hashed passwords mean they have been mashed up with a mathematical algorithm and salted passwords mean they added random digits to the end of each hashed password – as security precautions, The New York Times
Looking on the bright side, the cyber-thieves did not gain access to banking/financial info from merchants nor credit card info from users.
Company employees were informed about the attack by LivingSocial CEO Tim O’Shaughnessy who said it caused “unauthorized access to some customer data from our servers,” according to the internal e-mail later published by All Things D.
LivingSocial has reset customer passwords. The company wants its subscribers to change their passwords and change passwords to other sites – if the wording of that password is the same or close to the password used for LivingSocial.
There is a risk the hackers could send phishing attacks against the 50 million members.
Also, it was advised that members should only follow recommendations from official LivingSocial e-mails which are telling them to visit the company’s homepage and click on a “Create a New Password” button.
The hackers may try to send the members fake e-mails which appear to be from the company.
“LivingSocial will never ask you directly for personal or account information in an email,” the company’s e-mail to customers said. “We will always direct you to the LivingSocial website — and require you to login — before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.”
Indonesia, Korea, the Philippines and Thailand were apparently the only nations that were not subject to the LivingSocial attack because systems there are separate, All Things D reported.
The precaution by LivingSocial to store credit card and financial data separately was praised by one security specialist.
"The fact that the credit card information is stored separately is good, and I'm glad that they did that," Chris Wysopal, an information security specialist at Veracode, told CNET.
Law enforcement officials will investigate the attack, and along with other recent attacks – it shows the vulnerabilities in online sites.
Recently, such sites as Evernote, LinkedIn (News - Alert) and Zappos were victims of cyber-attacks. It’s not clear when the attack on LivingSocial took place.
LivingSocial will be making some upgrades to minimize the risk that future attacks will be successful.
“We are redoubling efforts to prevent any issues in the future,” O’Shaughnessy said in the internal memo.
The company is also going to “temporarily suspend consumer phone-based servicing” due to the likely high call volume from users.
“We will be devoting all available resources to our web-based servicing,” the memo said. “We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.”
The attack came as LivingSocial has been trying to increase its revenue – despite that the market for the daily deals sector has been facing many challenges, TMCnet reported.
In fact, LivingSocial reported that in Q1 it saw an operating loss of $44 million, compared to a $91 million loss during Q1 of 2012. Revenue in the recent quarter was $135 million compared to $110 million in revenue during Q1 in 2012. The Washington Post credited the lower losses to the company’s “cost-cutting and reorganization” efforts.
Edited by Stefania Viscusi