LivingSocial t-shirt (Photo : justgrimes / Creative Commons)
Over 50 million LivingSocial accounts were recently compromised as security of the daily deals site was recently breached by unknown hackers. The company confirmed that they have sent out email alerts to all affected users advising them to change their passwords immediately.
While it is not the first reported cyber attack on a well known site, the haul could prove to be the biggest by far of the year. Hackers were able to get email addresses and encrypted passwords that LivingSocial said they immediately reset as soon as the attack was reported.
How the theft was done is still undetermined but a Trusteer senior security strategist, George Tubin told SecurityWatch that this kind of breach is often executed by installing malware to devices commonly used by employees. The hackers then try to work their way around the network and target systems they believe contain sensitive information just like what happened at LivingSocial.
Tubin also added that providers should always expect hackers to try to attack their systems to get the sensitive information they need. He also notes that in this case it's quite obvious that providers are not doing enough to protect their clients.
Hashing and Salting Not Enough
In an effort to calm down affected users, LivingSocial CEO Tim O'Shaughnessy said the passwords were hashed and salted making it tough for hackers to crack open accounts and get more sensitive information. But according to Ross Barrett, a senior manager of security engineering at Rapid7, the action only delays thieves from retrieving what they came after for and that eventually they will find a way to figure out how to get the original passwords.
Hashing and salting are two security measures that most providers use as first line of defense in the event of a breach. In hashing, they convert the pass codes into one-way cryptographic representations which require random strings that make each hash unique even if LivingSocial users use passwords that correspond to them. Salting refers to the addition of extra information to the input string before a hash is created which makes it hard for hackers to crack since they have no idea what those added data are.
But the biggest problem of LivingSocial lies in their use of SHA1; a weaker model of algorithm to create the hash compared to the more secure PBKDF-2, bcrypt, and scrypt. Just like MD5, the SHA1 is used by many providers mainly because they were designed for quick operation and make use of lesser computing resources.
Why the Need to Change Passwords Quickly
Despite all countermeasures cited by LivingSocial, its users should act swiftly and change their passwords immediately. It's well known that most people have the tendency to use one password for different sites for quick recall and hackers will take advantage of this without remorse. Once they've decoded the original passwords, nothing will stop them from trying them on other popular sites like Facebook, Linkedin, and email accounts which are all goldmines for private and sensitive information.
But even without the passwords, hackers can still make use of personal information like birthdays and names to make malicious online phishing campaigns. They can trick users into believing they're getting legitimate messages from people they know and only time will tell how far they can go on using such data for attacking sites.
Ultimately it boils down to user awareness on how important it is to use different passwords for various sites. Barrett added that these breaches are another reminder why it's important to maintain good password hygiene. He also concludes that the LivingSocial breach should be a constant reminder that organizations and groups with valuable consumer data will always be prime targets for hackers.