LivingSocial Hacked: 50 Million Users Exposed 80
wiredmikey writes "Daily deals site and Groupon competitor LivingSocial said on Friday it had fallen victim to a cyber attack that put its roughly 50 million users at risk. 'LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers,' the company said in a brief note on its site while prompting users to reset their passwords. Attackers reportedly obtained information including names, email addresses, date of birth for some users, and passwords, which fortunately were hashed and salted. Additionally, the database holding credit card information was not accessed by the attacker, the company said. 'While it is good that the passwords stolen from LivingSocial are hashed and salted as this likely slow down the cracking process, it won't stop it,' Rapid7's Ross Barrett said. 'Once they had cracked the first round with the tools at their disposal, they posted the hashes in a Russian hacker forum where other motivated individuals with the necessary skills and more advanced cracking tools were able to help decode the remaining passwords,' Barrett continued. 'While salting the passwords will slow this process down further, eventually the attackers or their network will get the information they're after.' LivingSocial said they are actively working with law enforcement to investigate the incident but have not provided any additional details."
Re:How do admins keep salts secure? (Score:5, Informative)
every user gets a random salt. If you know the salt, you can generate a rainbow table for it. But, again, every user has a different salt so you need to generate a rainbow table for every user.
Generating a one-time rainbow table that cracks every password ever is easier than generating a rainbow table per password.
Re:How do admins keep salts secure? (Score:3, Informative)
The point of the salt is that previously generated and downloadable rainbow tables are of no use. Making new ones would kindof defeat the purpose, as you're effectively brute forcing a tough, hashed password anyway at that point.
This is why it's good practice. It helps mitigate complexity concerns over user supplied passwords, and can make cracking multiple account pwd hashes unrealistic.
Re:How do admins keep salts secure? (Score:5, Informative)
The salts aren't meant to be secure. They are commonly stored in plain text right next to the password in the database. The salt's actual job is not to prevent a hacker from breaking that user's password, but to prevent the hacker from being able to break all the passwords at once. The salt effectively "messes up" the hash of the password so that that even if multiple user's have the exact same password they will have different hashes. We all know many users use "1234" as their password. If each user has a random salt applied to the password and if the hacker guesses one user's password, he can't look at all the other users with the same hash and know that they all have the same password. The hacker has to spend the time cracking each password individually.