By The Associated Press
SAN FRANCISCO — LivingSocial, the second-largest daily deal company behind Groupon Inc, said it was hit by a cyber attack that may have affected more than 50 million customers.
The company said the attack on its computer systems resulted in unauthorized access to customer data, including names, email addresses, date of birth for some users and “encrypted” passwords.
LivingSocial stressed customer credit card and merchants’ financial and banking information were not affected or accessed. It also does not store passwords in plain text.
“We are actively working with law enforcement to investigate this issue,” the company, part-owned by Amazon.com Inc, wrote in an email to employees.
LivingSocial does not disclose exactly how many customers it has. However, spokesman Andrew Weinstein said “a substantial portion” of the company’s customer base was accessed, more than 50 million people.
LivingSocial is also contacting customers who closed accounts, because it still has their information stored in databases, he added.
LivingSocial told customers in an email that they should log on to LivingSocial.com to create a new password for their accounts.
“We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s),” LivingSocial Chief Executive Tim O’Shaughnessy wrote in the email.
The attack on LivingSocial is just the latest in a string of attacks on consumer Internet companies in recent months.
Twitter, Facebook and Apple all stepped forward in February to say they had been the victims of what they described as a “sophisticated attack.” Evernote, the notetaking app, said last month that it had reset passwords for 50 million users after it was compromised by hackers.
LivingSocial did say it “hashed” passwords — which involves mashing up users’ passwords with a mathematical algorithm — and “salted” them, meaning it appended random digits to the end of each hashed password to make it more difficult, but not impossible, for hackers to crack.
Once cracked, passwords can be valuable on auctionlike black market sites where a single password can fetch $20.
Said George Tubin, senior security strategist at Trusteer, a computer security company:
“In light of recent successful widespread attacks against major social networking sites, it’s obvious that these providers are simply not doing enough to protect their customers’ information.”
