LivingSocial data breach exposed 50 million customers records

By Pierluigi Paganini, Editor-in-Chief, CDM

April 30, 2013, 11:30 am EST

LivingSocial data breach exposed 50 million customer records; the news is shocking and is circulating on the Internet since last Friday.

On The internet is circulating the news of the LivingSocial data breach, an incident that menace the privacy of million of users and that rekindling the debate on the level of security provided by major service companies that handle personal data of millions of users.

LivingSocial is one of the largest daily deals company, behind Groupon Inc., part-owned byAmazon.com Inc., last Friday it was hit by a cyber attack that may have affected more than 50 million customers. The attackers gathered the access to the company servers and to customer data including names, email addresses, “encrypted” passwords and some users’ dates of birth.

The news has been provided by an internal memo emailed to employees and obtained by AllThingsD, the memo confirmed LivingSocial data breach and that neither customer credit card information nor merchant banking information was compromised.

The company promptly sent an email to its clients recommending the creation of new passwords for affected customers, following the message sent via email by the company Chief Executive Tim O’Shaughnessy:

“We recently experienced a cyber attack on our computer systems that resulted in unauthorized access to some customer data from our servers,”

“We are actively working with law enforcement to investigate this issue.”

The Imperva Security Blog published an interesting post on the LivingSocial data breach trying to understand what happened, considering the enormous amount of data it is likely to think that the attackers exploited a vulnerability using a web SQL Injection attack or a framework based attack.

lock

Imperva experts elaborated two hypotheses on the LivingSocial data breach:

The SQL Injection attack hypothesis

Based on the data structure that LivingSocial company announced to have it is very likely that the attackers used a SQL Injection attack.

The framework based attack hypothesis

Attackers may have exploited vulnerability in Ruby-On-Rails technology used by LivingSocial in its applications and application servers. Various Ruby vulnerabilities  enable a remote attacker to gain control over an exposed server and execute arbitrary code to compromise the target. In this case the LivingSocial may haven’t patched its software.

Whatever is the cause of a so serious data breach it is fundamental that the company operates protecting its customers and ensuring the continuity of its activity

Once again the media impact of such incidents could have a serious impact on the victims guilty of underestimating the importance of cyber security.

(Source: CDM & Security Affairs – Data Breach)

Subscribe to Cyber Defense Magazine

Join our mailing list, no strings attached. We never sell your data. We'll send you monthly e-magazines, webinar invites from us and our partners, cybersecurity trade show updates, awards, infosec news, cybersecurity tips and so much more on all things cyber defense.
Subscribe

Related News

No related posts.

April 30, 2013

CyberDefenseMagazine Follow 24,016 54,487

Cyber Defense Magazine - The Premier Source for IT Security and Compliance Information. https://t.co/748STKH6k0.

cyberdefensemag

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

Show Me!
X