Home > All, Security Issues > LivingSocial got hacked; 50 million passwords stolen, but it still hasn’t learnt all the right lessons

LivingSocial got hacked; 50 million passwords stolen, but it still hasn’t learnt all the right lessons

We learnt over the weekend that LivingSocial got hacked, and 50 million passwords were compromised (I reported on the story for Infosecurity Magazine here: 50  million LivingSocial passwords stolen. We know that the passwords were salted and hashed with SHA1. And we know that LivingSocial thinks that’s enough, because talking about the hack it said, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.”

It is, of course, far from enough. SHA1 hashed passwords will take only a few seconds to crack using standard rainbow tables. Salted SHA1 hashed passwords will take a little longer, but not much. The only ‘correct’ thing LivingSocial has done has been a forced password reset for its users, and a subsequent shift to the more secure bcrypt hashing algorithm. But frankly that’s too late for any users that have had their passwords stolen if they’re re-used on other accounts (statistically highly probable).

LivingSocial has so far given no details on who perpetrated the hack, with what, or when. That last is important since all of the users’ other accounts using the same password have been vulnerable since the moment the hackers exfiltrated the data. Nor do we know if the hackers gained access to any salting scripts on the server – which would largely nullify any benefit from the salt process.

I don’t have a LivingSocial account, so I’m OK. But I decided to sign up after the hack. The sign-up page wanted an email address. I gave it ‘yougottabejoking’. It also wanted a password. I entered ‘12345678’. It accepted both, and gave me an account – this account:

spacer

My LivingSocial Account – no prizes for guessing the password...

My LivingSocial Account – no prizes for guessing the password…

spacer

Had I done this before the hack, said hackers would now be in possession of both my email address and my password – a password that even salted and hashed would not take long to crack. If I used the same password elsewhere – as many users do – then all of those other accounts would also be cracked.

My point is this. Salting and hashing is pretty useless if the password is weak. Salting and hashing (especially with bcrypt) is very good if the password is strong. So rather than allowing me to enter a 12345678, LivingSocial should be imposing a strong password policy that forces all users to use a strong password.

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s