The popular daily deal site LivingSocial announced Monday it has abandoned the SHA1 hash for Blowfish’s bcrypt following a massive data breach that impacted 50 million customers.
The company confirmed last weekend that its computer systems were attacked and thieves gained access to names, e-mail addresses, date of birth (for some users) and encrypted passwords. The passwords had been hashed and salted, but as a precaution, customers today began receiving e-mail notices to change their passwords in the event the secret codes are unscrambled.
A security notice on the LivingSocial Web site stressed that customer credit card data was not illegally accessed.
However, anyone that uses the same login information for other sites should be prepared to change the passcodes on those sites as well.
“We do not believe that any customer accounts have been compromised due to this incident,” an FAQ states. “It is difficult to decode a password that has gone through the hashing and salting process, and we have not received any abnormal reports of accounts with unauthorized charges or activity. We are enhancing our monitoring of accounts for any unusual activity on an ongoing basis. Out of an abundance of caution, we request that customers create new passwords.”
Explaining the difficulty cyber thieves would have decoding passwords, the company also said it was changing its hash to elevate its password protection policy to the more complex bcrypt algorithm, which is based on the Blowfish cipher.
Bloomberg reported an email from LivingSocial CEO Tim O’Shaughnessy had been sent to all customers except those using subsidiaries in South Korea, Thailand, Indonesia and the Philippines, which were not impacted by the data breach. Those who need to change their passwords include customers in North America, Australia, New Zealand, the United Kingdom and Malaysia. It also impacts LetsBonus users in Southern Europe and parts of Latin America.
Washington, D.C.-based LivingSocial is a rival of Groupon that offers daily coupons on a wide variety of services and was most recently valued at $1.5 billion.