Living Social told employees Friday that it had been breached, and that data for 50 million users might have been accessed.
In a memo to employees, the company, based in Washington, said online criminals had accessed usernames, e-mail addresses and dates of births for some users and encrypted passwords for some 50 million people. The company’s databases that store user and merchant credit card and banking information were not compromised in the attack, it said.
“We recently experienced a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers,†the company told employees. “We are actively working with law enforcement to investigate this issue.â€
Andrew Weinstein, a spokesman for Living Social, confirmed that the attack might have compromised 50 million of its users, and said the company was resetting passwords and would be alerting customers by e-mail. Mr. Weinstein said it would get in touch with customers in all of the countries LivingSocial operates with the exception of Thailand, Korea, Indonesia and the Phillippines, where its systems were not compromised.
The attack on Living Social is just the latest in a string of attacks on consumer Internet companies in recent months. Twitter, Facebook and Apple all stepped forward in February to say they had all been the victims of a what they described as a “sophisticated attack.†Evernote, the online notetaking app, said last month that it had reset passwords for 50 million users after it was compromised by hackers.
Living Social did say it “hashed†passwords â€" which involves mashing up users’ passwords with a mathematical algorithm â€" and “salted†them, meaning it appended random digits to the end of each hashed password to make it more difficult, but not impossible, for hackers to crack. Once cracked, passwords can be valuable on auctionlike black market sites where a single password can fetch $20.
