Info of 50M LivingSocial customers compromised following breach

LivingSocial, the company behind the eponymous deal-of-the-day website, has confirmed that its computer systems have been breached by attackers and that user information such as names, email addresses, date of birth, and encrypted passwords have been compromised.

LivingSocial is estimated to have more than 70 million registered users and some 50 million of them were likely affected by the breach.

According to The Age and the company spokesman customers from the U.S., Canada, the U.K., Ireland, Australia, New Zealand, Malaysia, Southern Europe and Latin America have had their information compromised, while those from South Korea, Indonesia, Philippines and Thailand are safe.

Read more:

In an email sent to all registered customers LivingSocial CEO Tim O’Shaughnessy confirmed the breach, but made sure to note that the database that stores customer credit card information was not affected or accessed.

Despite the compromised passwords being both salted and hashed, the company has forced a password reseat on all users.

“We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s),” he wrote, adding that they should be wary of emails claiming to be from LivingSocial that request the users to share personal or account information in an email.

O’Shaughnessy also sent out an email to LivingSocial employees, pointing out which information was accessed and which was not (customer credit card information, merchants’ financial and banking information), and adding that they will probably temporarily suspend consumer phone-based servicing because they anticipate a high call volume and “may not be able to answer or return all calls in a responsible fashion.”

The FAQ about the breach revealed that LivingSocial passwords were hashed with SHA1 using a random 40 byte salt, but that they have now switched their hashing algorithm to bcrypt.