What Hacked LivingSocial Users Actually Need to Worry About
"LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers," the company said in an email to users. "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords."
The good news is that there's not much that the data thieves can do with what they stole.
Yes, many LivingSocial account-holders have credit card information stored with the site. But the site says that "the database that stores customer credit card information was not affected or accessed." So you don't need to worry that your stored credit card information will be used on a spending spree.
But what about the account itself? The database included email addresses and passwords, but LivingSocial insists that the passwords were encrypted. How hard would it be for the thieves to decrypt them, access your account, and buy a bunch of coupons and merchandise on your dime?
Chester Wisniewski, a security researcher for Sophos, says that this isn't the sort of encryption where a hacker who discovers a "magic key" could instantly decrypt all of the passwords -- the hashed passwords can't be unraveled so easily. But if the hackers know what sort of program was used to encrypt the passwords, they can use trial-and-error to see which commonly-used passwords produce which hashed passwords.
In other words, the hackers could punch in the word "kittens," see what alphanumeric string is produced, and then search the database for that string of letters and numbers. Wherever they find it, they know that that account uses the password "kittens."
"For people who have strong passwords, it's probably almost impossible to crack," says Wisniewski. "For people who chose weak ones, a determined attacker could figure them out."
To be on the safe side, it's best to change your password, especially if you're using a single English word (like "kittens") or a commonly-used password. And if you've reused that password on another site, change it there, too -- if hackers unlock your password, they'll almost certainly try out that email-and-password combination on a bunch of other highly-trafficked sites.
If you've taken care of that, the only thing that you really need to worry about here are phishing attacks. Whoever breached LivingSocial has your name and email address, and they know you're a LivingSocial subscriber. With that information, they can send you emails that look like they are from company, and might even use the now-public data breach as pretense for emailing you.
"[They could] send out millions of emails saying they're LivingSocial, and get users to change their passwords," he says. "The biggest risk to people is clicking a link in an email."
Those who do so could be directed to a site that looks like LivingSocial and asks you to enter your account information, causing you to unwittingly hand over your real password. So if you want to visit the site, your best bet is to manually enter the address into your web browser.
Trying to decrypt passwords is a time-consuming process, and hackers would much rather just trick you into handing over the password yourself. Don't do them any favors.
Matt Brownell is the consumer and retail reporter for DailyFinance. You can reach him at Matt.Brownell@teamaol.com, and follow him on Twitter at @Brownellorama.