Video live streaming platform LiveStream is warning customers that account information, including names, dates of birth, phone numbers, email addresses and encrypted passwords may have been accessed by unauthorised party.
In an email sent out to customers, the company explained that it is requiring all users to reset their passwords:
We recently discovered that an unauthorized person may have accessed our customer accounts database. While we are still investigating the full scope of the incident, it is possible that some of your account information may have been accessed. This may include name, email address, an encrypted version of your password, and if you provided it to us, date of birth and/or phone number. We do not store credit card or other payment information. We have no indication that the encrypted passwords have been decoded, but in an abundance of caution, we are requiring all users to reset their passwords.
No details have been shared at this point regarding how LiveStream was encrypting the passwords, and whether they are actually talking about password hashes and if any salting was in play. (Don’t understand all this salting and hashing stuff when it comes to password encryption? Watch this video).
Obviously it would be wise to ensure that you are not reusing your LiveStream password anywhere else on the net. Password reuse is perhaps the biggest problem with passwords – worse than choosing easy-to-guess passwords.
If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack or key logger) and then hackers using it to unlock your other online accounts.
If you find passwords a burden – simply use password management software like Bitwarden, 1Password, and KeePass to make them both safer and easier to remember.
Even if passwords have not been cracked, there remains the potential for anyone who has accessed LiveStream’s customer database to use it to send spam emails and phishing campaigns – so please be on your guard.
When I logged into my LiveStream account I was disappointed to find no warning of a potential security breach and that I wasn’t being forced to reset my password. Instead, I had to go into my account settings to reset it.
I don't use Livestream, yet I got the e-mail. Not sure what that's all about!
Either an old account you don't recall (or know of) or more likely a phishing attempt. Best advice is if you know you don't use a service and an email (or any other medium) claims you do and you have to act – delete it. More generally they hope to ensnare you out of fear; this person might ('could') use this so if we claim they do they might panic and then they are ours … When in doubt, delete it. In the case that they require you to change your password, if you truly use the service, you'll find out when you try to login via their system. So again, when in doubt delete it. Even if it seems legit it doesn't necessarily mean it is (and by seems legit I mean not only the context but how it is worded – pay attention to details no matter how minor or petty they might seem to you).
If this is true, how come Livestream didn't asked me to change my password when I just loged in?
Something else I noticed is the site does not default to SSL. If you click the Livestream banner link in their emails (
Livestream · Facebook · Twitter · Help ) it takes you to http rather than a https to login.