Anatomy of a Breach

Anatomy of a Breach: LivingSocial — 50 Million Accounts and the Daily Deals Data Haul

> series: anatomy_of_a_breach —— part: 053 —— target: livingsocial —— accounts: 50,000,000 —— passwords: bcrypt<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2013 11 min read
data-breach livingsocial ecommerce 50-million bcrypt credential-theft series
Breach #053

50 million accounts. The daily deal nobody wanted.

In late April 2013, LivingSocial — the Amazon-backed daily deals website — disclosed that attackers had gained unauthorised access to its customer database, compromising approximately 50 million user accounts. The stolen data included names, email addresses, dates of birth, and password hashes. CEO Tim O'Shaughnessy emailed all affected users advising immediate password changes.

Like Zappos, LivingSocial had implemented bcrypt for password hashing — meaning the stolen hashes were computationally expensive to crack. However, the breach exposed personal information (names, emails, dates of birth) that could be used for phishing and identity theft regardless of password security. The combination of 50 million email addresses and dates of birth — both commonly used as security verification questions by banks and other services — represented a significant identity theft dataset.

The Recurring Theme
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Good password storage. Insufficient network protection.

LivingSocial's use of bcrypt was commendable — but it did not prevent the breach. bcrypt protects passwords after a database is stolen; it does not prevent the database from being stolen in the first place. The breach underscored the principle of defence in depth: strong password hashing is one layer, but network segmentation, application security, vulnerability management, and continuous monitoring are equally essential layers.

Dates of Birth as Attack Data
Dates of birth are commonly used as identity verification questions by banks, insurers, and government services. Fifty million DOB records paired with names and emails create a rich dataset for social engineering and account takeover attacks. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> test whether your verification processes are vulnerable to this type of data.
Database Access Control
The attackers accessed a production database containing 50 million records. A <a href="/penetration-testing/infrastructure">penetration test</a> would assess whether the database was accessible from the network path the attackers used and whether access controls were effective.
bcrypt Limited the Damage
As with <a href="/blog/anatomy-of-a-breach-zappos">Zappos</a>, bcrypt ensured that the stolen password hashes were not trivially crackable. This is a positive example of defence in depth — even after the database was stolen, the passwords remained protected. Our <a href="/penetration-testing/web-application">application testing</a> verifies password storage algorithms.
Detection and Response
LivingSocial detected the breach, disclosed it promptly, and forced password resets — a reasonable response. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that detects database access anomalies before exfiltration is complete. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response when a breach is detected.
Defence in Depth

Every layer matters — not just password hashing.

The LivingSocial and Zappos breaches both demonstrate that good password hashing is necessary but not sufficient. A complete security posture requires: application testing to prevent the vulnerabilities attackers exploit for initial access, infrastructure testing to validate network segmentation and database access controls, Cyber Essentials certification for baseline controls, continuous SOC monitoring for early detection, and incident response capability for when prevention fails. Each layer reduces risk; no single layer eliminates it.

Defence in Depth

bcrypt saved the passwords but not the personal data. Is your defence layered?

Our <a href="/penetration-testing">penetration testing</a> assesses every layer — application, infrastructure, access controls, and monitoring. <a href="/cyber-essentials">Cyber Essentials</a> certifies the baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors continuously.

Commission a Security Assessment Next: Snowden / NSA
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2014

Anatomy of a Breach: eBay — 145 Million Accounts Compromised Through Employee Credentials

Breach #065. In May 2014, eBay disclosed that attackers had compromised the credentials of a small number of employees and used them to access a database containing the personal information of approximately 145 million users — names, email addresses, physical addresses, phone numbers, dates of birth, and encrypted passwords. eBay advised all 145 million users to change their passwords. The breach demonstrated that employee credential compromise remains the most reliable path to mass data theft.

data-breach ebay
12 min read
Anatomy of a Breach 31 January 2012

Anatomy of a Breach: Zappos — 24 Million Accounts and a Masterclass in Breach Response

Breach #037. In January 2012, online retailer Zappos disclosed that attackers had gained access to its internal network and compromised the personal information of approximately 24 million customer accounts — names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit cards, and cryptographically hashed passwords. While the breach was significant in scale, Zappos' response — immediate forced password resets, transparent communication, and the fact that passwords were properly hashed using bcrypt — became a benchmark for how to handle a breach well.

data-breach zappos
12 min read
Anatomy of a Breach 31 October 2018

Anatomy of a Breach: Facebook — 50 Million Access Tokens Stolen Through a 'View As' Vulnerability

Breach #118. On 28 September 2018, Facebook disclosed that attackers had exploited a chain of three vulnerabilities in the 'View As' feature to steal access tokens for approximately 50 million accounts — potentially allowing the attackers to take over those accounts entirely. Facebook forced a token reset for 90 million accounts. The breach, coming six months after the Cambridge Analytica scandal, further eroded trust in Facebook's security and was among the first major breaches reported under GDPR's 72-hour notification requirement.

data-breach facebook
12 min read
All Posts Get in Touch