LivingSocial.com tells 50 million customers to reset passwords after cyber-attack

CEO says customers' credit-card info not affected

WASHINGTON, D.C. - LivingSocial.com, the daily deals website, said Friday its computer system had suffered a cyber-attack and and 50 million customer accounts may have been accessed.

The Washington, D.C.-based company started emailing customers Friday afternoon advising them to reset their passwords. The hacking attack could compromise customers in all countries where LivingSocial operates, except  Thailand, Malaysia, Indonesia and the Philippines, which use different computer systems, said LivingSocial spokesman, Andrew Weinstein.

"We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," LivingSocial CEO Tim O'Shaughnessy said in an email to employees.

"The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords," O'Shaughnessy wrote. "We never store passwords in plain text," he added.

7NEWS talked to cyber expert Steve Beaty, who said an estimated 55 percent of people re-use passwords on more than one website. Beaty said once the hackers break the encryption, they can break into other accounts.

"Once a username and even a hashed or encrypted password is released, we essentially assume we have about a day at best, even with the most sophisticated encryption techniques to go ahead and get out there and change all our passwords," said Beaty.

LivingSocial CEO said the database that stores customer credit card information was not affected or accessed and likewise the database that stores merchants' financial and banking information was not affected or accessed.

"The security of our customer and merchant information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future," O'Shaughnessy said.

"Because we anticipate a high call volume and may not be able to answer or return all calls in a responsible fashion, we are likely to temporarily suspend consumer phone-based servicing. We will be devoting all available resources to our web-based servicing," O'Shaughnessy said.

"We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust," the CEO added.

Living Social sent the following email to customers with the subject line, "An important update on your LivingSocial.com account":

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The database that stores customer credit card information was not affected or accessed.

Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.

For your security, please create a new password for your email address account by following the instructions below.

1. Visit LivingSocial.com

2. Click on the "Create a New Password" button (top right corner of the homepage)

3. Follow the steps to finish

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.

If you have additional questions about this process, the "Create a New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Tim O'Shaughnessy

CEO, LivingSocial