Living Socially Hacked

Living Social, for those unfamiliar, is a 70-million-user+ daily deals site funded by Amazon. Over the weekend, it came to light that their database was compromised to the tune of 50 million or so of their users.

According to leaked internal memos, the breach included the “names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plan text.”

Also noted by the internal docs, neither their users’ credit card information, nor their merchants’ financial information was compromised, as their respective databases are stored on physically separated servers which were “not affected or accessed.”

As our friend Eric Fiterman has pointed out in the comments of one of the reports, the fact that the passwords were salted and hashed is really immaterial, as the aggressors most likely have the salts, which they’ll be using to match known passwords against the 50 million compromised. With such a huge number of accounts, nearly .5% of Internet users, we’re talking about an astronomical number of valid accounts.

As disconcerting as those figures may be, the scarier prospect is one which we’ve probably all been guilty of at one time or another: password reuse. Of those 50 million users, the vast majority were almost certainly using their primary email address for login to Living Social. How many of those users have that same email address tied to, well, EVERYTHING else they do online? How many of those users are using the same password on their Facebook, Gmail, and even their bank accounts? Robert Hansen of WhiteHat Security states, “This could be catastrophic, not for the accounts and credit cards that are stolen directly, but also because of password reuse of all of those millions of users. They should be changing their passwords immediately.”

This particular case illustrates two of the biggest challenges to information security professionals.

  1. End users are human, and as such make mistakes like reusing their passwords. Wise words from one of my mentors early in my career: “End users do stupid things. Just remember that we’re ALL end users.” If you forget that you’re capable of the same things, you’ll become jaded and curmudgeony earlier than your years would suggest.
  2. Organizations who fall victim to a breach tend to be loathe to detail how exactly they were compromised. This is a matter of pride in some cases, but a fear of backlash more often. Unfortunately, without know what actually happened, it makes it that much more difficult for us to educate our customers and correct those issues elsewhere to stop the propagation of the same types of attack. Was the compromise due to a web application vulnerability that could have been prevented with stronger code, or with a properly configured web application firewall? Was the breach the result of a DBA within Living Social falling victim to a phishing attack in which he unknowingly provided the attackers with an entry point?

If you read my stuff regularly (I’m hoping there’s someone out there who does), you’ll see that I often come back to the same underlying problems: human frailty, and the lack of open sharing of information among the “good guys.” This is an example of both. A very LARGE example.

Edit: Having seen the mentioned comment attributed to SpotKick, I erroneously assumed it was Eric Fiterman who had posted. It was in fact his colleague, Tom Eberle who did so. Either way, good guys who know what they’re talking about.