Why LivingSocial’s 50-million password breach is graver than you may think

Update: A few hours after this article was published, the LivingSocial FAQ was updated to say the company was switching its hashing algorithm to bcrypt. This is a fantastic move by LivingSocial that adds a significant improvement for its users. Bravo!

LivingSocial.com, a site that offers daily coupons on restaurants, spas, and other services, has suffered a security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users. If you're one of them, you should make sure this breach doesn't affect other accounts.

In an e-mail sent Friday, CEO Tim O'Shaughnessy told customers the stolen passwords had been hashed and salted. That means passcodes were converted into one-way cryptographic representations that used random strings to cause each hash string to be unique, even if it corresponded to passwords chosen by other LivingSocial users. He went on to say "your Living Social password would be difficult to decode." This is a matter for vigorous debate, and it very possibly could give users a false sense of security.

Read 5 remaining paragraphs | Comments