Slashdot Mirror
LivingSocial Hacked: 50 Million Users Exposed
wiredmikey writes "Daily deals site and Groupon competitor LivingSocial said on Friday it had fallen victim to a cyber attack that put its roughly 50 million users at risk. 'LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers,' the company said in a brief note on its site while prompting users to reset their passwords. Attackers reportedly obtained information including names, email addresses, date of birth for some users, and passwords, which fortunately were hashed and salted. Additionally, the database holding credit card information was not accessed by the attacker, the company said. 'While it is good that the passwords stolen from LivingSocial are hashed and salted as this likely slow down the cracking process, it won't stop it,' Rapid7's Ross Barrett said. 'Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords,' Barrett continued. 'While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they're after.' LivingSocial said they are actively working with law enforcement to investigate the incident but have not provided any additional details."
THEY SEND ME EMAILS, SO THEY SHOULD BE THE VICTIM OF CRIMES
Yes, that sounds like a very well-measured and thought-out response. Well done, sir. Especially since the culprit for the emails is probably a typo when someone else signed up, if you have a simple last-name-only email address
Sure, you can throw whatever current best practices are toward keeping your data secure, but let's at least have a plan B for when things really do go horribly wrong. Because if it can, it eventually will.
I don't like sticking to just one method for passwords because malicious hackers usually try the methods that are easiest to implement (whether one type of algorithm or a set number of iterations etc...) the difficulty in cracking is usually second and, let's be honest, changes day by day as GPUs, FPGAs and so on get faster and faster and can run in parallel. This is why you should try some combination of HMAC, bcrypt etc... (nothing too "new", too fast or DIY please)
The emails are unfortunate, since now these people are prime targets for phishing (unless they've seen this report, but even then, they might think "Oh, I should change my password! Let me click on this link that totally looks like it's from Living Social). Also of note, they should have done more to protect the birthdays most of all. That's what some people use for passwords still and I've seen it being thrown around in those "password reminder" questions. Some financial institutions even accept those in lieu of the mother's maiden name.
If computers were people, I'd be a misanthrope.
every user gets a random salt. If you know the salt, you can generate a rainbow table for it. But, again, every user has a different salt so you need to generate a rainbow table for every user.
Generating a one-time rainbow table that cracks every password ever is easier than generating a rainbow table per password.
Do you even lift?
These aren't the 'roids you're looking for.
The point of the salt is that previously generated and downloadable rainbow tables are of no use. Making new ones would kindof defeat the purpose, as you're effectively brute forcing a tough, hashed password anyway at that point.
This is why it's good practice. It helps mitigate complexity concerns over user supplied passwords, and can make cracking multiple account pwd hashes unrealistic.
The salts aren't meant to be secure. They are commonly stored in plain text right next to the password in the database. The salt's actual job is not to prevent a hacker from breaking that user's password, but to prevent the hacker from being able to break all the passwords at once. The salt effectively "messes up" the hash of the password so that that even if multiple user's have the exact same password they will have different hashes. We all know many users use "1234" as their password. If each user has a random salt applied to the password and if the hacker guesses one user's password, he can't look at all the other users with the same hash and know that they all have the same password. The hacker has to spend the time cracking each password individually.
Most users use the same fucking password for everything! Living Social should be telling their users that despite the salted hashes, they should start changing all their website passwords that even look remotely similar. Of course they are also ignoring the fact that compromised systems can do more than just expose a database. Are they sure they intruder didn't figure out how to capture the passwords as people were authenticating? Are their private SSL certs still private? Why the hell are they even keeping the credit card info anyway?
I hate the way they reassure everyone that credit card numbers weren't stolen. I DGAF who steals my credit card, because it's zero liability to me and a simple phone call will fix up any unauthorized charges. There's no identity theft possible from stealing my CC#, just some minor inconvenience. It's a MUCH more serious matter that a name + DOB pair can be stolen, because that's sufficient to lead to serious identity theft. I've taken to using 1-1-80 as my DOB on sites that ask for it, but (a) sites shouldn't ask for it - they have no need to know, and (b) there are some sites where I enrolled before I set this policy, so they have my real DOB. I don't know if LS was one of those.
A one time rainbow table is entirely useless.
The Children's Online Privacy Protection Act requires that certain types of websites ask for birth dates so that parental consent can be obtained before a child under 13 signs up. Maybe the site has no personal reason to know your birthday, but they could get in some serious trouble for failing to ask. See, for a brief overview, http://en.wikipedia.org/wiki/Children's_Online_Privacy_Protection_Act. Those of us lucky enough to live in California have an even stricter version at the state level.
Anyone who was once thirteen can guess whether or not a thirteen-year-old will actually ask for their parents permission before clicking through, but thats another issue.
I assume you've learned your lesson are not reusing passwords now, are you?
If you think it's too hard to remember them all, just use a password manager. Keepas, LastPass (this is not open so it could be vulnerable), etc.
"Science can amuse and fascinate us all, but it is engineering that changes the world. " - Asimov.
They actually state: "LivingSocial passwords were hashed with SHA1 using a random 40 byte salt." Source: https://www.livingsocial.com/createpassword
I'm glad they aren't using MD5, but wish they were using at least SHA-256 (SHA-1 has had flaws exposed). Or ideally bcrypt.
Honestly, as a web developer myself, there really is no reason not to use bcrypt.
That may be *part* of a salt's usefulness. Another possibly bigger part is to prevent rainbow table attacks, i.e. making it so a cracker can't just take a precomputed list of hashes of common passwords and match them to what's in the database.
- First they ignore you, then they laugh at you, then ???, then profit.
Never use the same password twice.
Then how do you get logged back in?