LivingSocial, the Washington, D.C.-based daily deals website, sent out an email this morning warning users that the site has “recently experienced a cyber-attack” that potentially exposed some sensitive user data.
The email, which confirms that the database containing customer passwords may have been compromised, stresses that “[t]he database that stores customer credit card information was not affected or accessed.” The message also stresses that passwords were stored in “encrypted ... technically ‘hashed’ and ‘salted’” form, and thus “would be difficult to decode.”
The email confirms reports yesterday by tech site AllThingsD, which said that it accessed an internal email by LivingSocial CEO Tim O'Shaughnessy to employees of the company stating that a hack had led to “unauthorized access to some customer data from our servers.”
According to AllThingsD, as well as a report from CNN, over 50 million LivingSocial members may have been affected by the hack.
Email: credit card database not accessed
The email sent by LivingSocial reads in part:
“LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.
The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.
The database that stores customer credit card information was not affected or accessed.
Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.”
The email, signed by O'Shaughnessy, also encourages users “to consider changing password(s) on any other sites on which you use the same or similar password(s).”
Passwords hashed, salted
In a security noticed posted on the company’s website, the company explained how it secures customer passwords in its database. The passwords, LivingSocial said, “were hashed with SHA1 using a random 40 byte salt,” meaning that “our system took the passwords entered by customers and used an algorithm to change them into a unique data string (essentially creating a unique data fingerprint) – that’s the ‘hash’. To add an additional layer of protection, the ‘salt’ elongates the password and adds complexity.”
The page also said that LivingSocial is “working with internal and external forensic security teams to investigate the nature of the incident and to further improve our security systems, and we are working with law enforcement to investigate this incident.”