I’m sure many of you will have already read about the massive database breach at LivingSocial, a daily-deal company second only to Groupon. If not, then you aren’t one of the “lucky” 50 million people chosen for that day’s “special deal”.
LivingSocial reported a breach of their systems which resulted in the names, email addresses, dates of birth and hashed and salted password values being stolen. Although LivingSocial passwords were hashed and salted, unfortunately the cryptographic algorithm used was not a particularly strong one (SHA-1) this means that while cracking that password database is not trivial, it is certainly not impossible.
As a result, LivingSocial has reset all passwords for every user and obliged them to create new ones, this time using a new algorithm (bcrypt). Additionally, as password reuse continues to be a perennial problem, they have also rightly advised all their customers to change their passwords on any other sites that use the same or a similar password.
But things just got a little more urgent for those affected. Someone calling themselves KATOGRAPHR has posted a series of samples of the stolen data up on pastebin, about fifty-thousand samples if they are to be believed. The reason for the samples is that KATOGRAPHR is advertising the full database dump of ”over 50M uid/email/sha1/salt” for the princely sum of 1 bitcoin (currently worth around $130USD).
Of course payment is up front, followed by an email with your “delivery address” and there’s no vouching for the veracity of the goods unless livingsocial care to verify, however several of the “taster” pastebin dump links remain active.
What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password.
It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex, yet memorable, password using upper and lower case letters, numbers and special characters such as $%&!. Try using the initial letter from each word in a memorable sentence for example. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember.
As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.