Daily deals site LivingSocial may have exposed customer data for some 50 million users, when it experienced a cyber-attack on its computer systems.
The breach resulted in unauthorized access to names, email addresses, date of birth (for some users), and passwords. The database that stored customer credit card information was not affected, nor was the Facebook data for LivingSocial users using Facebook Connect.
LivingSocial says it is working with law enforcement, and forensic security teams, to investigate the incident and to improve its security systems. As far as online passwords go, the company says its passwords were ‘hashed’ (hashing uses an algorithm to convert the password into a different string) and ‘salted’ (salted means these passwords likely have additional random text added, as an additional layer of security).
The attack, reported by Kara Swisher of AllThingsD, and based on an internal email sent out by the company’s CEO Tim O’Shaughnessy, carries a confirmation from a LivingSocial PR spokesperson, saying that 50 million users were indeed affected. According to a notice posted on the LivingSocial website, ‘some customer data from our servers’ were compromised.
How did the company manage to get 50 million of its users compromised at one go? Were all LivingSocial users compromised? LivingSocial says it has 70 million members worldwide, so presumably, not.
LivingSocial passwords were hashed with SHA1 using a random 40 byte salt. Passwords entered by customers were changed into a data string, creating a unique data fingerprint, using a security algorithm (that’s the ‘hash’). The company further added random information to the passwords (the salting part). Following the attack, LivingSocial says it is has switched its hashing algorithm from SHA1 to bcrypt.
LivingSocial joins Twitter, LinkedIn, and Evernote, among others, in a list of companies that were breached recently.
[Image courtesy: LivingSocial]