Related Links

Related Stories

  • Google joins FIDO alliance
    Looking to accelerate the development of a federated online user identity to supplant the need to remember multiple user names and passwords, Google has lent its heft to the the Fast IDentity Online (FIDO) Alliance, an industry consortium focused on online authentication.
  • Evernote hacked; 50 million passwords reset
    Evernote, an online personal note-taking and archiving service, announced on Saturday that it had “discovered and blocked suspicious activity on the Evernote network,” and had consequently initiated a password reset for its 50 million users.
  • Twitter hacked – 250,000 user details may have been lost
    Late on Friday afternoon Twitter announced that it had been breached and that attackers may have had access to usernames, email addresses, session tokens and encrypted/salted versions of passwords for approximately 250,000 users.
  • 90% of passwords can be cracked in seconds
    More than 90% of user-generated passwords can be made vulnerable to hacking in a matter of seconds, according to new research from Deloitte.
  • New and improved SHA1 cracking method for passwords published
    SHA1 is probably the most widely used password cryptographic hash function; but perhaps it shouldn’t be. The first attack faster than brute force against SHA1 was discovered in 2005, and just over two months ago NIST declared, “Federal agencies should stop using SHA-1...”

Top 5 Stories


50 million LivingSocial passwords stolen

29 April 2013

On Friday 26 April 2013, some 50 million of LivingSocial's 70 million registered users learnt that they must reset their passwords following the latest large scale online password theft.

Washington DC-based LivingSocial is the world’s second largest online offers company (behind Groupon). Only customers in South Korea, Indonesia, Philippines and Thailand, where details are held on a different system, are unaffected.

Little is yet known about the hack, beyond that the company is 'actively' working with law enforcement to investigate the issue. It isn't known how or when the intrusion happened, nor how long the intruders were on the network.

The company claims that no financial details were lost. "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text," says the company in an email being sent to affected customers. This sounds reassuring, but is not nearly as good as it could be.

Firstly, irrespective of any passwords, the names, emails and birthdays could be combined to form the basis of future social engineering and phishing attacks against the victims – so LivingSocial customers should be on the lookout for any suspicious emails.

Secondly, salted and hashed passwords are not as well-protected as it may seem - especially since LivingSocial used the relatively weak  SHA1 hashing algorithm. Hashing converts variable length input into a fixed length, non-reversible output.

Breaking a hashed password involves guessing the original, running it through the hashing algorithm, and comparing the new output with the 'stolen' hashed output. If they are the same,  the hashed password is 'cracked'. To make this faster, attackers use huge databases of comparisons they did earlier – so-called rainbow tables of all possible passwords. That's why users are encouraged to used long complex passwords; short ones will be found in the tables and cracked in seconds.

'Salting', the application of additional random characters to the password before it is hashed, makes cracking more difficult; but it basically just makes it take longer. However, taking longer is good enough if the hack is discovered quickly and users made to change their passwords. This highlights the second weakness of SHA1 –it is very fast. This is good for the legitimate user since it reduces computing overheads; but also good for the attacker since it makes cracking faster.

It is noticeable that the company's security notice and FAQ on the incident now says, "We have switched our hashing algorithm from SHA1 to bcrypt." This is a good move since bcrypt is not merely stronger than SHA1, it is specifically designed to be slower - which in turn means it takes longer to crack bcrypt-hashed passwords. But there doesn't seem to be any password policy to force or encourage users to use strong, complex passwords (which of course they should).

Affected users should also note that changing their LivingSocial password will only make the LivingSocial account secure. Most users reuse the same password over multiple online accounts. All of those accounts using the same password must now also be considered ‘hacked’. Affected users should change all of their passwords to new, strong, and different passwords for every account - and as soon as possible.

This article is featured in:
Data Loss  •  Encryption  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×