Daily deals company LivingSocial is sending out an email to 50 million of its members today saying that the company has been hacked. It assures the public that the hackers did not access any credit card information.
Living Social announced the hack through an email to the affected people today as well as in an internal email to employees that emphasized the systems that were affected. Currently, only names, birthdays, email addresses, and encrypted passwords were collected by the criminals. Encrypted, or hashed, passwords can be unencrypted by the hackers with the right tools, so you should be sure to change you passwords if you used your LivingSocial one for any other accounts.
When asked when this breach originally occurred and if it was connected to a Java exploit or a phishing attack, a company spokesperson said LivingSocial is not yet ready to discuss those details.
Tim O’Shaughnessy, LivingSocial’s chief executive, explained in the email to employees that the hack did not touch the servers that hold credit card information nor the servers that store merchant financial or banking information.
LivingSocial is reaching out to everyone except those who live in Thailand, Korea, Indonesia, and the Philippines. A spokesperson for the company explained that customer information for anyone in those countries is stored on a separate, untapped server, “so there was no impact on them from the attack.”
In the aftermath of attacks like these, hackers often attempt to using phishing attacks to gain even more information. LivingSocial assures customers that it will never ask for personal or account information in an email. If you see an email asking for anything of this nature, assume that’s it’s a fraud and don’t respond. If you’re concerned about your account, go directly to the website and check out your account from there.
Here is the email sent to LivingSocial employees, which the company supplied us with:
E-MAIL FROM TIM O’SHAUGHNESSY TO EMPLOYEES
Re: Security Incident
This e-mail is important, so please read it to the end.
We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.
The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.
Two things you should know:
- The database that stores customer credit card information was not affected or accessed.
- The database that stores merchants’ financial and banking information was not affected or accessed.
The security of our customer and merchant information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.
To ensure our customers and merchants are fully informed and protected, we are notifying those who may have been impacted via email explaining what happened, expiring their passwords, and requesting that they create new passwords. A copy of the note is included below this email.
Because we anticipate a high call volume and may not be able to answer or return all calls in a responsible fashion, we are likely to temporarily suspend consumer phone-based servicing. We will be devoting all available resources to our web-based servicing.
I apologize for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.
LivingSocial image via justgrimes/Flickr