Open Source Subnet An independent Open Source community View more

Living Social shows how not to handle a password leak

Take action to avoid a disaster.

Like many of you reading this, I recently received the following email from Living Social CEO Tim O'Shaughnessy,

IMPORTANT INFORMATION

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

Two things you should know:

1.     The database that stores customer credit card information was not affected or accessed.

2.     If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised.

You do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened.

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website - and require you to login - before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

If you have additional questions about this process, the "Create New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Sincerely, 

Tim O'Shaughnessy, CEO

If you didn't receive this email from Living Social, you have probably received a similar type of notice from other vendors who have been the victims of data breach attacks and in turn have made you a victim as well. Many of these kinds of notifications will also offer you free credit monitoring services for a period of time to protect you. Various state laws require these companies to notify you of these data breaches, and others mandate the credit monitoring service be offered to consumers whose confidential information is at risk.

Other companies take the Living Social approach, which is to say "don't panic, nothing too valuable was taken." In this case, the fact that your name, email address and date of birth were stolen is held out to be not too terrible. After all "they never store passwords in plain text." Whew, now I can breathe easier. Give me a break!

Once an identity thief has your name, email and date of birth, how hard is it to get your mailing address?Armed with all of this, how hard is it to start applying and creating accounts in your name all over the Internet? Living Social's "don't worry, be happy" attitude here is giving a false sense of security (pun intended).

Next, they tell you that your credit card data was stored on another server and was not compromised. Really, how do you know for sure? Why are you even storing credit card data?

So what about those encrypted passwords, salted or hashed? If you are like me and use a randomly generated password for each site you visit, along with a password manager, your password being stolen is probably no worse than the fact that they already have your email, DOB, etc. But for many others, if they can decrypt that salted password, how many other accounts will be accessible? If it is two, three, or more sites, you are in trouble.

While you may not even store a credit card on Living Social, armed with your password, it doesn't take much to use your information and log on to a banking site, Amazon or any number of other sites that could really cost you big bucks. 

Using the same passwords on multiple sites could be the single biggest issue around breaches like this. With so many password management solutions out there, many of them free, why take the risk? Take this potential disaster off the table today!

One last thing on Living Social's warm and fuzzy approach. Instead of saying encrypted passwords can be broken by hackers and requiring users to reset their passwords immediately (such as Vudu recently did), Living Social instead says, "you do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened." Really, Living Social? It is this kind of message that can make a simple data breach into a disaster.

In spite of how much Living Social tells us they care about our information and how seriously they take security, if you have a Living Social account, you should run, not walk, and reset your password immediately! Then, if you don't already do it, set up a password manager and stop using the same passwords over and over.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.