On The internet is circulating the news of the LivingSocial data breach, an incident that menace the privacy of million of users and that rekindling the debate on the level of security provided by major service companies that handle personal data of millions of users.
LivingSocial is one of the largest daily deals company , behind Groupon Inc., part-owned byAmazon.com Inc., last Friday it was hit by a cyber attack that may have affected more than 50 million customers. The attackers gathered the access to the company servers and to customer data including names, email addresses, “encrypted” passwords and some users’ dates of birth.
The news has been provided by an internal memo emailed to employees and obtained by AllThingsD, the memo confirmed LivingSocial data breach and that neither customer credit card information nor merchant banking information was compromised.
The company promptly sent an email to its clients recommending the creation of new passwords for affected customers, following the message sent via email by the company Chief Executive Tim O’Shaughnessy:
“We recently experienced a cyber attack on our computer systems that resulted in unauthorized access to some customer data from our servers,”
“We are actively working with law enforcement to investigate this issue.”
The Imperva Security Blog published an interesting post on the LivingSocial data breach trying to understand what happened, considering the enormous amount of data it is likely to think that the attackers exploited a vulnerability using a web SQL Injection attack or a framework based attack.
Imperva experts elaborated two hypotheses on the LivingSocial data breach:
The SQL Injection attack hypothesis
Based on the data structure that LivingSocial company announced to have it is very likely that the attackers used a SQL Injection attack.
The framework based attack hypothesis
Attackers may have exploited a vulnerability in Ruby-On-Rails technology used by LivingSocial in its applications and application servers. Various Ruby vulnerabilities enable a remote attacker to gain control over an exposed server and execute arbitrary code to compromise the target. In this case the LivingSocial may haven’t patched its software.
Whatever is the cause of a so serious data breach it is fundamental that the company operates protecting its customers and ensuring the continuity of its activity
Once again the media impact of such incidents could have a serious impact on the victims guilty of underestimating the importance of cyber security.
Pierluigi Paganini
(Security Affairs – Data Breach)