April 30, 2013, 1:59 PM — LivingSocial revealed last week that it was the victim of a cyber attack that compromised the account details of its 50 million customers. To address the situation, LivingSocial sent a notice to customers, and reset users' passwords to force people to create new ones.
Don't make the mistake of believing that changing your password is your only concern.
According to LivingSocial, the unauthorized access of its customer data servers yielded the names, email addresses, birth dates, and encrypted passwords of 50 million customers, but the company stresses that customer credit card details were not compromised because that information is stored on a separate server that the attackers did not access.
There is supposedly no immediate concern because the passwords are encrypted. LivingSocial explained that the passwords are hashed with SHA1 encryption. Unfortunately, the definition of "immediate" may not be much consolation. When Evernote experienced a similar attack, security expert Brian Krebs pointed out that cracking standard hashing algorithms is trivial for attackers, and it probably won't slow them down for long.
But to what end? Assume an attacker has compromised your LivingSocial account and manages to crack your password. What are they going to do, order a discount spa day, or get a great deal on laser hair removal on your behalf? With access to your account, the attackers can also change the underlying details to an alternate email address and contact information, but that would be pretty dumb because it would create a trail that could be used to catch them.
Even with access to the account, the attacker should not be able to get anything more than the last four digits of any stored credit cards, so there's no real concern that the credit card details will be compromised and used to rack up charges elsewhere. The bigger concern is what an attacker can do with your personals information, not what the attacker can do with your LivingSocial account.
You should change your LivingSocial password; more importantly you should change your password on any and every other account where you used that same password. If you have ignored security best practices and used the same password across multiple sites, the LivingSocial breach could lead to much more serious consequences for you.
The compromised password is only one facet of your risk, and that's why changing your password won't really save you. With access to this account, the attackers have your name, your email address, and your birth date. That's enough information to get them started down the path of stealing your identity. Fortunately, mailing addresses and social security numbers were not compromised; otherwise, the criminals would have everything the need to wreak even more havoc.
Stay on alert and pay attention to your email, bank accounts, credit report, and other resources that will alert you if something suspicious is going on with your identity. Don't make the mistake of thinking it's as simple as changing your password.