LivingSocial breached

Blog Post created by rbarrett Employee on Apr 29, 2013

The breach of 50 million passwords, birth dates and names from daily deal site LivingSocial is another reminder that organizations will continue to be targeted for their valuable customer data.


While it is good that the passwords stolen from LivingSocial are hashed and salted as this likely slow down the cracking process, it won’t stop it. In a similar situation, last year attackers broke into LinkedIn and stole 6.46 million passwords, which were hashed, but not salted. Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords. While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they’re after.


You might be wondering what does it mean to have usernames and passwords salted and hashed. Hashing uses mathematical algorithms to create a seemingly random value, determined by the input (your password) which is difficult even for computers, to reverse. Salting is an additional layer of security added on top of the encryption to make it more difficult – but not impossible – to decode. Once the nature of the salt is determined, they can uncover the passwords much quicker.


If you use LivingSocial, it’s critical that you change your password immediately. And if you, like many people, use the same password for other online accounts, change those ASAP. Once the passwords are uncovered, hackers will turn to popular sites like Facebook, LinkedIn, Gmail and so on. These breaches are another reminder of why it’s so important to maintain good password hygiene and use different passwords for all accounts and sites. For guidance on setting strong passwords, check out this video: Password Security Tips for Data Protection [VIDEO] | Rapid7


Not only were passwords compromised, dates of birth and names were also accessed. This data can be used by attackers in phishing or other social engineering techniques. People need to be vigilant about emails asking them to click on a link, or unexpected communications that use any of the stolen information. It’s likely this user data will be powering attacks for a very long time. If you're concerned that your employees may fall foul of these kinds of spear-phishing techniques, why not test their susceptibility to social engineering so you can take appropriate measures to educate them on the risks and what to look out for?