LivingSocial cyber attack affects millions of customers

SAN FRANCISCO Fri Apr 26, 2013 7:06pm EDT

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.

Credit: Reuters/Kacper Pempel/Files

Related Topics

SAN FRANCISCO (Reuters) - LivingSocial, the second-largest daily deal company behind Groupon Inc, said on Friday it was hit by a cyber attack that may have affected more than 50 million customers.

The company said the attack on its computer systems resulted in unauthorized access to customer data, including names, email addresses, date of birth for some users and "encrypted" passwords.

LivingSocial stressed customer credit card and merchants' financial and banking information were not affected or accessed. It also does not store passwords in plain text.

"We are actively working with law enforcement to investigate this issue," the company, part-owned by Amazon.com Inc, wrote in an email to employees.

LivingSocial does not disclose how many customers it has. However, spokesman Andrew Weinstein said "a substantial portion" of the company's customer base was affected. LivingSocial is also contacting customers who closed accounts, because it still has their information stored in databases, he added.

The attack hit customers in the United States, Canada, the U.K., Ireland, Australia, New Zealand, Malaysia, Southern Europe and Latin America. Customers in South Korea, Indonesia, Philippines and Thailand were not affected, Weinstein said.

"In light of recent successful widespread attacks against major social networking sites, it's obvious that these providers are simply not doing enough to protect their customers' information," said George Tubin, senior security strategist at Trusteer, a computer security company.

The attack comes as LivingSocial struggles to handle a decline in consumer and merchant demand for daily deals. The company raised $110 million from investors, including Amazon earlier this year, but was forced to make large concessions to get the new money.

Amazon invested $56 million in LivingSocial in the first quarter, according to a regulatory filing on Friday, which also revealed the company had a first-quarter operating loss of $44 million on revenue of $135 million.

LivingSocial said on Friday it was beginning to contact more than 50 million customers whose data may have been affected by the cyber attack.

LivingSocial told customers in an email that they should log on to LivingSocial.com to create a new password for their accounts.

"We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s)," LivingSocial Chief Executive Tim O'Shaughnessy wrote in the email.

"We are sorry this incident occurred."

All Things D reported the cyber attack earlier on Friday.

(Reporting by Alistair Barr; Editing by Tim Dobbyn, Bernard Orr and Andre Grenon)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
ARJTurgot2 wrote:
You’ve got to be really incompetent to get hit with that level of attack in this day and age. Thank god California forced organizations to start admitting the problem. Too bad the CIO and CEO will probably keep their jobs.

Apr 26, 2013 10:15pm EDT  --  Report as abuse
ARJTurgot2 wrote:
You’ve got to be really incompetent to get hit with that level of attack in this day and age. Thank god California forced organizations to start admitting the problem. Too bad the CIO and CEO will probably keep their jobs.

Apr 26, 2013 10:15pm EDT  --  Report as abuse
AlfredReaud wrote:
Absolutely not ARJTurgot2, if it was an inside job. No level of security or competence can protect you against treachery. I just had this discussion with a client at a MMJ dispensary, who wants to implement WIFI for the POS system. I recommended NO, for that reason. Even WPA Enterprise is subject to password leakage, especially if every employee has to access the network. A wired network requires access to the gateway, and makes external access a bit harder, and no employees then need credentials, and are blocked from installing applications.

Another thing is that more and more hash crackers are able to compute a reverse hash on any password hashing algorithm, because of modern desktops having a lot more crunching power. If they can’t now, it’s just a matter of time. Encrypting the hash further is fine and dandy, but it serves no purpose if they already got into your system and ganked your key.

I can’t offer a solution other than education, because the security issues are usually in the wetware…

Apr 27, 2013 9:38am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.