We have heard of many similar instances over the past few years. I've written about this in previous posts and will be giving a talk at Secure360 in St. Paul, MN in a couple of weeks talking about authentication and passwords.
In their defense, Living Social did do a couple of things well. First of all, fortunately, they did store only encrypted passwords. Unfortunately many organizations don't. Unfortunately they used an older, weaker encryption algorithm. And, of course, unfortunately they got breached and had the file downloaded.
Fortunately, they did a nice job in notifying customers. Fortunately, they expired all passwords and forced everyone to set a new password. Unfortunately, you need to log in with your old password first.
But, perhaps most unfortunate of all, is the potential for password reuse to be exploited. The attackers know there's a very good chance that many people will use the exact same username/email-address plus password pair at other sites.
As I discussed in this post a few months ago, most users have accounts on 25 different online sites, but use only 6.5 different passwords. So the odds are pretty good that the hackers will find another site on which some of these passwords have been reused.
The attackers know that passwords at the Living Social site will be changed. However, if they try these ID or address plus password pairs at some of the major online banking sites, Amazon, Google, iTunes and other e-commerce sites, they are bound to have some success. And we don't want them to have success.
So, as I've said in the past and will say in the future (because this problem isn't going away anytime soon)...
- choose good long passwords (long sentences are just fine)
- use a password vault, and
- use a unique password at each online site.
- (bonus) use 2-factor authentication for online sites when available (and complain if it isn't available yet!)