LivingSocial security notice

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The database that stores customer credit card information was not affected or accessed.

Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.

For your security, please create a new password by clicking the button below.

change your password now

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

FAQ

  • What happened? We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.
  • What information of mine was accessed? The information included names, email addresses, date of birth for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.
  • Did they get access to my payment information or credit card data? No, the database that stores customer credit card information was not affected or accessed.
  • Were any customer accounts hacked? We do not believe that any customer accounts have been compromised due to this incident. It is difficult to decode a password that has gone through the hashing and salting process, and we have not received any abnormal reports of accounts with unauthorized charges or activity. We are enhancing our monitoring of accounts for any unusual activity on an ongoing basis. Out of an abundance of caution, we request that customers create new passwords.
  • What kind of protections do you use to protect my password and how does it work? LivingSocial never stores passwords in plain text. LivingSocial passwords were hashed with SHA1 using a random 40 byte salt. What this means is that our system took the passwords entered by customers and used an algorithm to change them into a unique data string (essentially creating a unique data fingerprint) – that’s the “hash”. To add an additional layer of protection, the “salt” elongates the password and adds complexity. We have switched our hashing algorithm from SHA1 to bcrypt.
  • I’ve never bought anything from your website, how did you have my information? If you signed up to receive emails from LivingSocial, your email address was in our system.
  • Why can't I reset my password? Many users signed up to receive LivingSocial emails but never created an account with a password. If you have not created an account, there is no need to update your password.
  • Was any information from LivingSocial merchants affected? The database that stores merchants’ financial and banking information was not affected or accessed. Because merchants also use the same login information as LivingSocial customers, they also must go through the password reset process.
  • Besides changing my password, what else can I do to protect myself against identity theft or fraud? We encourage you, for your own personal data security, to change password(s) on any other sites on which you use the same or similar password(s). Additionally, it is recommended that you regularly change all passwords.
  • How can I pick a secure password? The most secure passwords use a combination of capital and lower case letters, numbers, and special symbols like “!” or “$”. This prevents malicious parties from using dictionary attacks to guess likely combinations of words.
  • Did LivingSocial report this incident to law enforcement? Yes, we are actively working with law enforcement to investigate this issue.
  • I log in to LivingSocial using Facebook Connect – does this affect me? Your Facebook credentials were not compromised, but if you ever created a separate LivingSocial password, please create a new password.
  • What did LivingSocial do to investigate the incident? We are working with internal and external forensic security teams to investigate the nature of the incident and to further improve our security systems, and we are working with law enforcement to investigate this incident.
  • Why did I receive an email about a security incident at LivingSocial when I unsubscribed from emails? Many LivingSocial customers choose to browse and buy on our website, but opt not to receive daily emails. We have attempted to contact anyone potentially affected by the security incident even if you have unsubscribed from LivingSocial marketing emails. If you have already opted not to receive email distribution, you will not receive marketing emails from LivingSocial.
  • Is there anything else I can do to protect myself? While so far there has been no evidence of fraud stemming from this incident, you may wish to obtain and review your free annual copy of your credit report. We recommend you be vigilant over the next 12 months and review your credit card bills and credit report for unauthorized activity. You should also promptly report any suspected identify theft to your local law enforcement agency, the U.S. Federal Trade Commission, your financial institution, and to the Fraud Alert phone line of one of the three national consumer reporting agencies. You can find more information about credit reports and fraud alerts here.