LivingSocial, the second-largest daily deal company behind Groupon Inc, said on Friday it was hit by a cyber attack that may have affected more than 50 million customers.
The company said the attack on its computer systems resulted in unauthorised access to customer data, including names, email addresses, date of birth for some users and "encrypted" passwords.
LivingSocial stressed customer credit card and merchants' financial and banking information were not affected or accessed. It also does not store passwords in plain text.
"We are actively working with law enforcement to investigate this issue," the company, part-owned by Amazon.com Inc, wrote in an email to employees.
LivingSocial does not disclose how many customers it has. However, spokesman Andrew Weinstein said "a substantial portion" of the company's customer base was affected. LivingSocial is also contacting customers who closed accounts, because it still has their information stored in databases, he added.
The attack hit customers in the United States, Canada, the UK, Ireland, Australia, New Zealand, Malaysia, Southern Europe and Latin America. Customers in South Korea, Indonesia, Philippines and Thailand were not affected, Weinstein said.
"In light of recent successful widespread attacks against major social networking sites, it's obvious that these providers are simply not doing enough to protect their customers' information," said George Tubin, senior security strategist at Trusteer, a computer security company.
The attack comes as LivingSocial struggles to handle a decline in consumer and merchant demand for daily deals. The company raised US$110 million from investors, including Amazon earlier this year, but was forced to make large concessions to get the new money.
Amazon invested US$56 million in LivingSocial in the first quarter, according to a regulatory filing on Friday, which also revealed the company had a first-quarter operating loss of US$44 million on revenue of US$135 million.
LivingSocial said on Friday it was beginning to contact more than 50 million customers whose data may have been affected by the cyber attack.
LivingSocial told customers in an email that they should log on to LivingSocial.com to create a new password for their accounts.
"We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s)," LivingSocial Chief Executive Tim O'Shaughnessy wrote in the email.
"We are sorry this incident occurred."
All Things D reported the cyber attack earlier on Friday.
(Reporting by Alistair Barr; Editing by Tim Dobbyn, Bernard Orr and Andre Grenon)