Breach, Data Security, Encryption, Network Security

LivingSocial updates encryption practices after password breach affects 50m

After a massive breach impacted more than 50 million of its customers, the daily-deal website LivingSocial has updated its password encryption method to bolster security.

On Friday, the company confirmed that its computer systems were hacked, resulting in “unauthorized access” to customer data stored on its servers.

According to a security notice on its website, names, email addresses, some users' dates of birth and salted passwords were accessed. Salting is a security method where a sequence of symbols is added to passwords before they're hashed.

LivingSocial now uses a hashing algorithm known as bcrypt, dropping the more outdated SHA1. The company said that while it typically has applied tight security controls to protecting its passwords, it now has implemented the stronger algorithm.

“LivingSocial never stores passwords in plain text,” said the security notice on the company site. “LivingSocial passwords were hashed with SHA1 using a random 40-byte salt. What this means is that our system took the passwords entered by customers and used an algorithm to change them into a unique data string (essentially creating a unique data fingerprint) – that's the ‘hash.' To add an additional layer of protection, the ‘salt' elongates the password and adds complexity. We have switched our hashing algorithm from SHA1 to bcrypt.”

Washington, D.C.-based LivingSocial has not confirmed how its systems were compromised. No customer credit card information was accessed. As a safety precaution, the company required users to reset their passwords following the breach.

LivingSocial was most recently valued at an estimated at $1.5 billion, a dramatic reduction from its worth as early as a year ago. Daily-deal sites like LivingSocial and Groupon significantly have struggled in recent years as losses mount.

On Monday, Andreas Baumhof, CTO at ThreatMetrix, a San Jose, Calif-based security firm that helps secure companies against account takeover fraud and data breaches, told SCMagazine.com that SHA1, LivingSocial's former hashing algorithm, is considered a successor to MD-5.

“The security practices at LivingSocial were not particularly bad,” Baumhof said. “However, I think they just want to make sure that they take security very seriously."

Because LivingSocial has already salted customer passwords, it makes it more difficult for attackers to reverse engineer them, Baumhof said.

“It doesn't make it impossible [to crack] the passwords, just much harder,” he said of salting.

On Saturday, Paul Ducklin, the head of technology for the Asia-Pacific region at security firm Sophos, wrote a blog post urging users to make sure they employ a different password for each site they use. This deters the possibility that one's LivingSocial password could be used, for example, to access their bank account.

LivingSocial joins a number of companies that experienced similar incidents last year, when the credentials belonging to members of LinkedIn, Yahoo, eHarmony, Formspring and Billabong were accessed by hackers. In many of these cases, the passwords were encrypted, but still easily cracked using commonly available tools requiring minimal time and investment.

Most recently, popular notetaking software service Evernote experienced a breach that also impacted 50 million of its users. Evernote reportedly used MD-5, a cryptographic hash function that has been known for years to be vulnerable.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds