Why changing your LivingSocial password won't save you

Changing your LivingSocial password is a good first step, but the attackers already have crucial information you can't change or undo.

LivingSocial revealed last week that it was the victim of a cyber attack that compromised the account details of its 50 million customers. To address the situation, LivingSocial sent a notice to customers, and reset users' passwords to force people to create new ones.

Don't make the mistake of believing that changing your password is your only concern.

According to LivingSocial, the unauthorized access of its customer data servers yielded the names, email addresses, birth dates, and encrypted passwords of 50 million customers, but the company stresses that customer credit card details were not compromised because that information is stored on a separate server that the attackers did not access.

There is supposedly no immediate concern because the passwords are encrypted. LivingSocial explained that the passwords are hashed with SHA1 encryption. Unfortunately, the definition of "immediate" may not be much consolation. When Evernote experienced a similar attack, security expert Brian Krebs pointed out that cracking standard hashing algorithms is trivial for attackers, and it probably won't slow them down for long.

But to what end? Assume an attacker has compromised your LivingSocial account and manages to crack your password. What are they going to do, order a discount spa day, or get a great deal on laser hair removal on your behalf? With access to your account, the attackers can also change the underlying details to an alternate email address and contact information, but that would be pretty dumb because it would create a trail that could be used to catch them.

Even with access to the account, the attacker should not be able to get anything more than the last four digits of any stored credit cards, so there's no real concern that the credit card details will be compromised and used to rack up charges elsewhere. The bigger concern is what an attacker can do with your personals information, not what the attacker can do with your LivingSocial account.

You should change your LivingSocial password; more importantly you should change your password on any and every other account where you used that same password. If you have ignored security best practices and used the same password across multiple sites, the LivingSocial breach could lead to much more serious consequences for you.

The compromised password is only one facet of your risk, and that's why changing your password won't really save you. With access to this account, the attackers have your name, your email address, and your birth date. That's enough information to get them started down the path of stealing your identity. Fortunately, mailing addresses and social security numbers were not compromised; otherwise, the criminals would have everything the need to wreak even more havoc.

Stay on alert and pay attention to your email, bank accounts, credit report, and other resources that will alert you if something suspicious is going on with your identity. Don't make the mistake of thinking it's as simple as changing your password.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags passwordsLivingSocialEvernotebusiness security

More about Evernote

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Tony Bradley

Latest Videos

More videos

Blog Posts