Daily deals company LivingSocial is sending out an email to 50 million of its members today saying that the company has been hacked. It assures the public that the hackers did not access any credit card information.

Living Social announced the hack through an email to the affected people today as well as in an internal email to employees that emphasized the systems that were affected. Currently, only names, birthdays, email addresses, and encrypted passwords were collected by the criminals. Encrypted, or hashed, passwords can be unencrypted by the hackers with the right tools, so you should be sure to change you passwords if you used your LivingSocial one for any other accounts.

When asked when this breach originally occurred and if it was connected to a Java exploit or a phishing attack, a company spokesperson said LivingSocial is not yet ready to discuss those details.

Tim O’Shaughnessy, LivingSocial’s chief executive, explained in the email to employees that the hack did not touch the servers that hold credit card information nor the servers that store merchant financial or banking information.

LivingSocial is reaching out to everyone except those who live in Thailand, Korea, Indonesia, and the Philippines. A spokesperson for the company explained that customer information for anyone in those countries is stored on a separate, untapped server, “so there was no impact on them from the attack.”

In the aftermath of attacks like these, hackers often attempt to using phishing attacks to gain even more information. LivingSocial assures customers that it will never ask for personal or account information in an email. If you see an email asking for anything of this nature, assume that’s it’s a fraud and don’t respond. If you’re concerned about your account, go directly to the website and check out your account from there.

Here is the email sent to LivingSocial employees, which the company supplied us with:

LivingSocial image via justgrimes/Flickr

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

Zendesk manages backoffice features like customer support and help desk operations via a cloud service it delivers to hundreds of clients serving over 65 million people, the company says on its website. Only Twitter, Pinterest, and Tumblr clients were affected, the company says, but those sites comprise literally hundreds of millions of users.

Since most end users never touch Zendesk directly, most users’ first awareness that there might be a problem with their personal informtion will come via an email from one of the affected services. I received an email from Tumblr this evening at 11:05PM PST, saying that my information may have been exposed.

Assuming Zendesk knows exactly how deep the penetration went, there is probably not a lot to worry about. The attackers gained access to email addresses and the subject lines of support emails, but there’s no indication they accessed any passwords or other data.

In other words: don’t panic.

Here’s the email that Tumblr sent out to affected users:

Important information regarding your security and privacy

For the last 2.5 years, we’ve used a popular service called Zendesk to store, organize, and answer emails to Tumblr Support. We’ve learned that a security breach at Zendesk has affected Tumblr and two other companies. We are sending this notification to all email addresses that we believe may have been affected by this breach.

This has potentially exposed records of subject lines and, in some cases, email addresses of messages sent to Tumblr Support. While much of this information is innocuous, please take some time today to consider the following:

• The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.
• Any other information included in the subject lines of emails you’ve sent to Tumblr Support may be exposed. We recommend you review any correspondence you’ve addressed tosupport@tumblr.com, abuse@tumblr.com, dmca@tumblr.com,legal@tumblr.com, enquiries@tumblr.com, orlawenforcement@tumblr.com.
• Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.

Your safety is our highest priority. We’re working with law enforcement and Zendesk to better understand this attack. Please monitor your email and Tumblr accounts for suspicious behavior, and notify us immediately if you have any concerns.

This is an breaking story, check for updates on Friday.

photo credit: alles-schlumpf via photopin cc

Nationwide might be on your side, but the hackers who broke into it aren’t. The company released an apology today, revealing the October breach that compromised social security information.

The hack on Nationwide came through servers it shared with Allied Insurance, and may have affected up to 1.1 million people, according to The Washington Post. Hackers tapped into quite a payload of personally identifiable information including name, birthday, social security number, and driver license ID number. Nationwide says hackers may also have gotten away with marital status, gender, and work information such as your title, company, and company address. The company said it stores this type of information in order to give people quotes on its insurance.

“At this time, we have no evidence that any medical information or credit card account information was stolen in the attack,” the company said in a statement.

Nationwide says it found the attack the same day it happened, October 3, and immediately reported it to the authorities. It is currently sending out notices to everyone whose information was accessed and, through a partnership with Equifax, is giving those people free identity theft protection and credit monitoring. Anyone who uses Nationwide, or recently sent in their information for a quote, should check their bank statements often — even if you don’t believe your information was part of the hack.

As for who was behind the attack, Nationwide and law enforcement do not yet know. However, the insurance company does suspect that they came from outside the United States. Law enforcement officials are still looking through the forensic evidence to see if they can trace the event back to a specific person or country.

Nationwide image via tlarrow/Flickr

Old accounts are being re-verified, says Search Engine Journal. That may not sound like a big deal, but it’s a potential disaster for anyone who has had search engine optimizers working on their websites.

“From initial glance at our WMT’s accounts we now have regained access to every old account we have previously been given access to, whether that is a previous client or maybe a site that came to us for some short term consultancy,” David Naylor posted on his search marketing blog today.

Source: David Naylor

Google Webmaster Tools re-verifying old accounts

Hopefully, no black hats are taking advantage of special access to former clients’ sites, as they could cause significant damage by uploading fake sitemaps, requesting removal of key URLs from Google’s index, re-configuring U.S.-based sites to target users in Kazakhstan, Timbuktu, or any other random place, and setting Google’s crawl rate at a ridiculously slow pace, among other things.

Dennis Goedegebuure, a former director of SEO at eBay, confirmed to The Next Web that he had been granted access to eBay’s webmaster tools even though he left the company almost a year and a half ago.

I personally could not verify the problem. In former lives I’ve managed sites with millions of monthly pageviews and had access to those sites’ accounts. A quick check tonight verified that I have not been re-verified for those accounts — which may mean that Google has fixed the issue, or simply that my GWT account was not affected.

The breach goes as far as granting access to sites’ Google Analytics accounts as well, at least in some cases. That allows access to extremely sensitive information that companies and sites do not want former employees or consultants seeing or sharing.

Google hasn’t commented on the issue yet, as far as I can tell, and the Google Webmaster Tools blog has not been updated since November 12.

UPDATED 1:03PM:

Google has now released a comment:

“For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring.”

Meanwhile, Twitter is doing what Twitter does:

Never screw your SEO… you never know when Google will do something stupid like let them back into your Webmaster Tools account.

—
Ben Cook (@Skitzzo) November 27, 2012

Wonder how many evil thing are being done with Webmaster Tools right now. Best thing Google could do right now is switch it off

—
Kean Richmond (@keanrichmond) November 27, 2012

photo credit: tashland via photopin cc

Sept. 9 - 10, 2013
San Francisco, CA

Early Bird Tickets on Sale

With all the attention cloud storage services Box and Dropbox have garnered, it’s easy to forget that there are other startups in the game, which are quietly picking up steam and cornering new markets.

SpiderOak, a Dropbox competitor, is a Northbrook Illinois-based company that can backup pictures, music, video, files, and documents. The startup’s value proposition is that it works with super-sensitive information, so customers include no-name government agencies.

I asked SpiderOak founder and CEO, Ethan Oberman, about the recent wave of high-profile security breaches. (Read more about the major hack to the account of Mat Honan, a writer at Wired and Apple cofounder Steve Wozniak’s claim that the cloud will cause “horrible problems.”)

Prompted to discuss Dropbox’s security problems, he said that there is a world of difference between privacy and security. He used the analogy of a bank. Most cloud storage providers work like your standard bank account; despite a few glitches, it’s a highly secure place to keep your money. SpiderOak, he explained, is like a Swiss Bank account. “The bank doesn’t know what’s in the lockbox,” Oberman said. “It only knows that it’s keeping something for you.”

For this reason, the company is a popular choice for industries (healthcare, legal, and so on) where strict compliance standards need to be met.

Today, the company announced it would cater to users with even tighter restrictions — such as the Department of Defense, and EU and Canadian customers that face regulations against storing data on foreign soil — by announcing a new product, SpiderOak Blue Private Cloud. Instead of storing data on a third party site, SpiderOak can now stored data within a company’s own infrastructure.

Ethan Oberman, SpiderOak’s CEO.

“What better place to store data than in their own firewall? Having that flexibility is critical,” said Oberman.

Note that SpiderOak is one of many niche providers that claim to bring greater standards of privacy to the cloud. As CIO’s Jonathan Feldman put it: ”For business to actually get transacted, sometimes we need to achieve a balance between security and functionality.”

On the consumer side, SpiderOak has also had a bit of success with users who don’t want to drag data into a storage drive. The company offers cloud storage without the box. Its system integrates with the existing file structure on your desktop. Oberman told me that there were a few reasons why they built the technology this way: “It works more in line with how people actually user their computers,” he said.

Locked cloud image via Shutterstock

Dropbox users are complaining on the forums that email addresses they’ve used only for cloud storage and sharing service are getting spam … which leads them to believe that Dropbox has had some kind of security breach.

The first user complaint was about a day ago:

However, there are some from just three hours ago (morning, July 18), including this one from a fairly knowledgable user who believes that the junk mail is not just coming from random guesses by spammers:

As TechCrunch noticed, a Dropbox employee on the forums has confirmed the company is investigating, and has brought in an outside team of experts to help, who are working around the clock to look for any possible security breaches:

But the issue has not yet been reported either on Dropbox’s news site or the Dropbox blog, which suggests that the company has either not found any issues yet or that issues remain unresolved.

Unfortunately, security problems are not a new thing for Dropbox.

The platform recently had very basic flaws in its mobile apps, and last year it left accounts completely unprotected for four hours. After that failure, the company posted on its blog that it was re-dedicating to security.

It’s unclear still what is happening at Dropbox, and as a user I can say I have not received any unusual emails or spam that would indicate my account may have been compromised.

VentureBeat has reached out to Dropbox for a statement, and we’ll update this post as we receive more information.

[ update ]

Dropbox pointed me to the post from Joe G, a Dropbox employee, that I included above. Upon further questioning, a representative said there was no further comment at this time.

Image credit: JMiks/ShutterStock

The biggest question users have when this happens: have MY username and password been released?

A number of services can answer that. One is Should I Change My Password, which has two great features that differentiate it from some others.

One is the ability to check anonymously based on email address, which many people have as their username for online services. This is helpful, because you don’t have to enter your password into the service (which you don’t know if you can trust or not) to check if your password has, indeed, been compromised. Secondly, you can sign up to receive notifications in the future if your email address is ever involved in another hacking incident.

Simply go to Should I Change My Password, and enter your email address:

The site automatically checks you against millions of emails and passwords leaking in numerous security breaches.

If your email address is among those that have been hacked and released, this is what you’ll see. (I checked it myself with an old email address that I knew had been previously compromised.)

While investigating the breach and writing my story last night, I personally downloaded a few hundred thousand of the usernames and passwords and tried (unsuccessfully) to log into a number of Yahoo accounts.

Looks like it’s not just the newspapers snooping on UK citizens. The government itself has reported internal breaches, according to information released in a Freedom of Information request.

Over 1,000 breaches of personal information have occurred in the last year due to rogue civil servants accessing the data without permission, says ZDNet. These employees gain access to personal information, despite a lengthy vetting process giving them the permissible access in the first place. These employees came from the UK’s Department for Work and Pensions and The Department for Health. Only the Department for Work says it properly recorded breaches made, and revealed in 2011 there were around 1,000 civil servants punished for wrongful access to personal information. The latter says it did not record all the breaches, though it did record at least 150 of them.

Many of the security concerns we hear about are from external groups, such as Anonymous, other governments, and hackers working independently. They spread malware, take websites down, deface them, steal personally identifiable information and more. What people don’t realize is that these guys are the modern bank robbers. Just about anyone with access to a wealth of personally identifiable information has the opportunity to make a lot of money selling that data on the black markets. Indeed, while “hacktivists” and online protesting breaches have gotten much of the attention, hacking is still a financially lucrative game.

Companies and governments alike still need to realize that many hacks can come from within. ZDNet notes that those who do expose or illegally access personally identifiable information could be subject to a fine as expensive as $7,900. Whether or not those involved in the breaches have been fined is unknown.

via ZDNet, Tower Bridge image via Shutterstock