50 million LivingSocial passwords stolen

Washington DC-based LivingSocial is the world’s second largest online offers company (behind Groupon). Only customers in South Korea, Indonesia, Philippines and Thailand, where details are held on a different system, are unaffected.

Little is yet known about the hack, beyond that the company is 'actively' working with law enforcement to investigate the issue. It isn't known how or when the intrusion happened, nor how long the intruders were on the network.

The company claims that no financial details were lost. "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text," says the company in an email being sent to affected customers. This sounds reassuring, but is not nearly as good as it could be.

Firstly, irrespective of any passwords, the names, emails and birthdays could be combined to form the basis of future social engineering and phishing attacks against the victims – so LivingSocial customers should be on the lookout for any suspicious emails.

Secondly, salted and hashed passwords are not as well-protected as it may seem - especially since LivingSocial used the relatively weak  SHA1 hashing algorithm. Hashing converts variable length input into a fixed length, non-reversible output.

Breaking a hashed password involves guessing the original, running it through the hashing algorithm, and comparing the new output with the 'stolen' hashed output. If they are the same,  the hashed password is 'cracked'. To make this faster, attackers use huge databases of comparisons they did earlier – so-called rainbow tables of all possible passwords. That's why users are encouraged to used long complex passwords; short ones will be found in the tables and cracked in seconds.

'Salting', the application of additional random characters to the password before it is hashed, makes cracking more difficult; but it basically just makes it take longer. However, taking longer is good enough if the hack is discovered quickly and users made to change their passwords. This highlights the second weakness of SHA1 –it is very fast. This is good for the legitimate user since it reduces computing overheads; but also good for the attacker since it makes cracking faster.

It is noticeable that the company's security notice and FAQ on the incident now says, "We have switched our hashing algorithm from SHA1 to bcrypt." This is a good move since bcrypt is not merely stronger than SHA1, it is specifically designed to be slower - which in turn means it takes longer to crack bcrypt-hashed passwords. But there doesn't seem to be any password policy to force or encourage users to use strong, complex passwords (which of course they should).

Affected users should also note that changing their LivingSocial password will only make the LivingSocial account secure. Most users reuse the same password over multiple online accounts. All of those accounts using the same password must now also be considered ‘hacked’. Affected users should change all of their passwords to new, strong, and different passwords for every account - and as soon as possible.

What’s hot on Infosecurity Magazine?