Apr 29, 2013

LivingSocial Hacked: What You Need to Know

LivingSocial confirmed on Friday, April 26th that they experienced a cyber-attack on their computer systems that resulted in unauthorized access to some customer data on their servers, including names, email addresses, date of birth for some users, and encrypted passwords (hashed and salted). The daily deals site joins a growing list of services who have been hacked in the last year and a half, including Zappos, Evernote, LinkedIn, eHarmony, and Last.fm.

Update Your Password, Now


Although the passwords were hashed and salted, and there are no known dumps of the stolen data, it's plausible that a percentage of the password hashes are known or have been brute-forced to reveal the plain text passwords, given the increasing speed at which brute-forcing can be performed and the proliferation of weak and duplicate passwords.

Echoing LivingSocial's recommendations in their email to the 50 million affected customers, we strongly recommend that anyone with a LivingSocial account follow the steps to update their password immediately, and update the password on any other accounts that used the same or similar password. Launch LivingSocial, click the "Create New Password" button on the top right corner of the homepage, and update the password to a new, randomly generated one using the LastPass password generator, located in the Tools menu in the LastPass Icon. The LastPass Security Check, in the Tools menu in the LastPass addon, will also help you identify any weak or duplicate passwords.

Now Is the Time to Be Proactive


We're seeing a trend that highlights some critical truths about passwords:
  • Hacks of popular services are inevitable, and their frequency is increasing - password re-use and weak passwords make the situations that much more damaging
  • The end user must be as proactive as possible about protecting their data - this means using a password manager to create strong, unique passwords, and following best security practices - like avoiding open WiFi, running up-to-date antivirus, avoiding public computers, and backing up your data
  • Companies need to take responsibility in educating their employees and providing tools, like LastPass Enterprise, that help them better protect corporate data and enforce high security standards
Help us spread the word about secure password management to family, friends, and coworkers who would benefit from the ability to achieve higher security standards while making their online life easier. With generated passwords, hacks like these are less likely to pose a risk to their personal data, and recovering is a matter of a few clicks to generate a new password.

4 comments:

  1. And if you use Facebook login for LS?

    ReplyDelete
  2. Same question. I do not have a password and only can log in with Facebook. Is there any additional risk to my Facebook account?

    ReplyDelete
  3. Assuming it uses OAuth, there's no danger to your fb password. e-mail was probably exposed, not sure about other data.

    ReplyDelete
  4. Perhaps change your Facebook password as well, just to be sure

    ReplyDelete