What Hacked LivingSocial Users Actually Need to Worry About

Over the weekend, millions of subscribers to daily deal site LivingSocial were alerted by email that their personal data may have been compromised.

"LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers," the company said in an email to users. "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords."

The good news is that there's not much that the data thieves can do with what they stole.

Yes, many LivingSocial account-holders have credit card information stored with the site. But the site says that "the database that stores customer credit card information was not affected or accessed." So you don't need to worry that your stored credit card information will be used on a spending spree.

But what about the account itself? The database included email addresses and passwords, but LivingSocial insists that the passwords were encrypted. How hard would it be for the thieves to decrypt them, access your account, and buy a bunch of coupons and merchandise on your dime?

Chester Wisniewski, a security researcher for Sophos, says that this isn't the sort of encryption where a hacker who discovers a "magic key" could instantly decrypt all of the passwords -- the hashed passwords can't be unraveled so easily. But if the hackers know what sort of program was used to encrypt the passwords, they can use trial-and-error to see which commonly-used passwords produce which hashed passwords.

In other words, the hackers could punch in the word "kittens," see what alphanumeric string is produced, and then search the database for that string of letters and numbers. Wherever they find it, they know that that account uses the password "kittens."

The key takeaway, then, is that users who have an easily-cracked or commonly-used password have the most to fear here.

"For people who have strong passwords, it's probably almost impossible to crack," says Wisniewski. "For people who chose weak ones, a determined attacker could figure them out."

To be on the safe side, it's best to change your password, especially if you're using a single English word (like "kittens") or a commonly-used password. And if you've reused that password on another site, change it there, too -- if hackers unlock your password, they'll almost certainly try out that email-and-password combination on a bunch of other highly-trafficked sites.

Something Phishy

If you've taken care of that, the only thing that you really need to worry about here are phishing attacks. Whoever breached LivingSocial has your name and email address, and they know you're a LivingSocial subscriber. With that information, they can send you emails that look like they are from company, and might even use the now-public data breach as pretense for emailing you.

"[They could] send out millions of emails saying they're LivingSocial, and get users to change their passwords," he says. "The biggest risk to people is clicking a link in an email."

Those who do so could be directed to a site that looks like LivingSocial and asks you to enter your account information, causing you to unwittingly hand over your real password. So if you want to visit the site, your best bet is to manually enter the address into your web browser.

Trying to decrypt passwords is a time-consuming process, and hackers would much rather just trick you into handing over the password yourself. Don't do them any favors.

Matt Brownell is the consumer and retail reporter for DailyFinance. You can reach him at Matt.Brownell@teamaol.com, and follow him on Twitter at @Brownellorama.

Increase your money and finance knowledge from home

Intro to different retirement accounts

What does it mean to have a 401(k)? IRA?

View Course »

Banking Services 101

Understand your bank's services, and how to get the most from them

View Course »

Add a Comment

*0 / 3000 Character Maximum

1 Comment

Filter by:

I will never open another e mail, from Living Social. Never! The hackers were in my computer, just this very day! They had the audacity to take the control and point to L.S. e mail, I had just opened and closed. Had only been a member, for a few days! The great part is, I was not a member long enough, to purchase one of their deals therefore, Living Social has no banking information! Whew wee!!!!!!!!!!!!!!!!!!!!1

April 29 2013 at 10:59 PM Report abuse rate up rate down Reply
1 reply to notruthingov's comment

theyb were not able to get inside to anyones banking info... it is good to change your passwords on a Monthley basis to every account you have.. this is the reason i dont do twitter ect... and as always .. if you dont know the sender of an email that has an attchment just delete it.. facebook was hacked and is sending out messages from your family n friends that says hey craig .. when i know damm well my son would say that.. lol.. just be careful and use common sense.. and if you get some of those phishing emails asking for info from your bank or whopoever.. FWD: it to ABUSE@ aol.com or ABUSE@Yourbank.com ect..

April 29 2013 at 11:28 PM Report abuse rate up rate down Reply