PUBLIC SERVICE REQUEST:<p>If the LivingSocial hashes do end up leaking will folks who work on cracking them <i>pretty please</i> record and publish their crack rate as it changes as progress is made over the db?<p>We need these kinds of records kept on real-world events in order to do retrospective studies.<p>TIA :-)
They said they Hashed and Salted password so it's unlikely the hackers will get "actual" passwords by brute-force<p>However what I've seen happen after this attacks is usually they attacker use the e-mail addresses to do phishing attacks and just get passwords that way. They already know their e-mail and that they are living-social customers. Expect a phishing e-mail that looks like coming from living social.
"Ruby on Rails is the platform upon which LivingSocial runs."
- <a href="http://en.wikipedia.org/wiki/LivingSocial" rel="nofollow">http://en.wikipedia.org/wiki/LivingSocial</a><p>I'm just speculating but the first thing that ran through my head is 'this must be a Rails breach'.<p>I'm also guessing that a very large percentage of the 50 million users signed up like I did when Amazon had a deal (something like $20 gift card for $10).<p>LivingSocial have put up somewhat of a statement on their web site asking you to change your password:<p><a href="https://login.livingsocial.com/forgot_password/?reset=true" rel="nofollow">https://login.livingsocial.com/forgot_password/?reset=true</a><p>"""
LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.<p>The database that stores customer credit card information was not affected or accessed.<p>Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.
"""
<i>This e-mail is important, so please read it to the end.</i><p>LivingSocial must have an interesting corporate culture if the subject header of "Security Incident" isn't enough for employees to actually read the email.
The body of an email I received 6:30 AM Eastern time:<p>from <updates@livingsocial.com>
"
IMPORTANT INFORMATION
LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.<p>The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.<p>The database that stores customer credit card information was not affected or accessed.<p>Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.<p>For your security, please create a new password for your (removed my email address) account by following the instructions below.
Visit <a href="https://www.livingsocial.com" rel="nofollow">https://www.livingsocial.com</a>
Click on the "Create New Password" button (top right corner of the homepage)
Follow the steps to finish
We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).<p>The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.<p>If you have additional questions about this process, the "Create a New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.<p>We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.<p>Sincerely,
Tim O'Shaughnessy, CEO"
Is it time yet that someone builds a cross-platform account management appliance? Currently, we seem to be stuck between things like Kerberos which are complex, and your framework's built-in account framework which often uses SHA-1/MD5 + salt and has no mechanism for upgrading to better alternatives.<p>While things like Persona are awesome, for those who insist on using passwords, why not have a standard "thing" that handles them? It should be able to switch passwords schemes on the fly (via re-encryption or double encryption), store data separately from your main DB, and be all kinds of paranoid.
Is their Github account a good indication of the state of their Rails setup? This appeared to be the only Rails-related gem they've open-sourced that's relatively well-followed:<p><a href="https://github.com/livingsocial/rails-googleapps-auth" rel="nofollow">https://github.com/livingsocial/rails-googleapps-auth</a><p>The gemspec here:
<a href="https://github.com/livingsocial/rails-googleapps-auth/blob/master/rails-googleapps-auth.gemspec" rel="nofollow">https://github.com/livingsocial/rails-googleapps-auth/blob/m...</a><p><pre><code> gem.add_runtime_dependency("actionpack", [">= 2.3.5"])
gem.add_runtime_dependency("ruby-openid", ["= 2.1.8"])
gem.add_development_dependency("activesupport", ["~> 3.0"])
gem.add_development_dependency("tzinfo", [">= 0.3"])
gem.add_development_dependency("actionpack", ["~> 3.0"])
gem.add_development_dependency("activemodel", ["~> 3.0"])
gem.add_development_dependency("railties", ["~> 3.0"])
gem.add_development_dependency("rspec-rails", ["= 2.5.0"])
</code></pre>
One of the recent critical vulnerabilities involved ActionPack, pre x.x.10:<p><a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ" rel="nofollow">https://groups.google.com/forum/?fromgroups=#!topic/rubyonra...</a><p>The gemspec above specifies ActionPack 2.3.5 and above...theoretically, it's possible they upgraded their Rails installation without having to upgrade this particular gem...and perhaps they don't use this gem at all anymore (hasn't been updated in 8 months), so this is all speculative.<p>edit: Going to assume that LS at least protected from the Homakov-mass-assignment vulnerability, demonstrated in March 2012: <a href="https://github.com/rails/rails/issues/5228" rel="nofollow">https://github.com/rails/rails/issues/5228</a>
So enough time has passed for the attack to reach the higherups, an internal email authored, that email leaked, the contents of the email confirmed by the company...and NO emails out to the users? What's the harm in making those two emails go out concurrently?
If you goto the website they won't let you login now without reset your password. So essentially you only know there's a problem if you goto their website since they've yet to send an email.<p>But they had time to send me some great Mother's Day Deals half an hour ago!
Much of the issue with passwords could be avoided if the sites just sends you a randomly generated password in your introduction email. That way there is no chance of re-use and if the db gets compromised, just issue a new password.
At what point do we call collecting large numbers of user credentials in a central place that can be accessed worldwide a bad idea?<p>To me this is the problem P2P should be solving, not Facebook, Google or Mozilla
And there seems to be no way to delete a Living Social account (despite some language that says you can terminate the contract by canceling the account). Very 503 over there right now.
LivingSocial messed up a meal order of mine so badly one time, I had to pay for the meal twice and they still didn't refund my payment. Worst company I've ever dealt with, and I'm really not surprised to see they have a security breach considering the awful experience I had with them and how it seemed that they just didn't know what was going on.