Update: A few hours after this article was published, the LivingSocial FAQ was updated to say the company was switching its hashing algorithm to bcrypt. This is a fantastic move by LivingSocial that adds a significant improvement for its users. Bravo!

LivingSocial.com, a site that offers daily coupons on restaurants, spas, and other services, has suffered a security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users. If you're one of them, you should make sure this breach doesn't affect other accounts.

In an e-mail sent Friday, CEO Tim O'Shaughnessy told customers the stolen passwords had been hashed and salted. That means passcodes were converted into one-way cryptographic representations that used random strings to cause each hash string to be unique, even if it corresponded to passwords chosen by other LivingSocial users. He went on to say "your Living Social password would be difficult to decode." This is a matter for vigorous debate, and it very possibly could give users a false sense of security.

As Ars explained before, advances in hardware and hacking techniques make it trivial to crack passwords that are presumed strong. LivingSocial engineers should be applauded for adding cryptographic salt, because the measure requires password cracking programs to guess the plaintext for each individual hash, rather than guessing passwords for millions of tens of millions of hashes all at once. But a far more important measure of protection, password cracking experts say, is the hashing algorithm used. SHA1, the algorithm used by LivingSocial, is an extremely poor choice for secure password storage. Like MD5 and even the newly adopted SHA3 algorithms, it's designed to operate quickly and with a minimal amount of computing resources. A far better choice would have been bcrypt, scrypt, or PBKDF2.

In another understatement, O'Shaughnessy added: "We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same of similar password(s)." It's unfortunate company officials weren't more insistent on this point. Based on everything we know about modern password cracking, it will be trivial for the attackers to crack a large percentage of the LivingSocial passwords. Since the breach also exposed customer names and e-mail addresses, attackers can then try those passwords on other accounts held by the victims and easily access those that match. (The Washington, DC-based LivingSocial, which is partly owned by Amazon, is requiring all account holders to change their passwords.)

In the week following last year's leak of six million password hashes belonging to LinkedIn users, security experts were able to crack more than 90 percent of them in just six days. If the LivingSocial hashes were properly salted, it may take crackers longer to guess the underlying plain-text. But aside from the time investment, salting in no way makes cracking more difficult. The take-away from all of this is that people who used their LivingSocial password to secure accounts on other sites should change those passcodes immediately, and this measure should under no means be considered optional. Passwords should be randomly generated by a password-manager, contain a minimum length of 11 characters, and include numbers, letters, and symbols. They should also be unique to each site.

With 50 million customers affected, the LivingSocial hack is one of the bigger password breaches on record. The 2011 hack of Sony's PlayStation network is still much bigger, with data for around 100 million accounts exposed. O'Shaughnessy said company officials are working with law enforcement agencies to investigate the crime.

Story updated to add detail that LivingSocial used SHA1 algorithm.