Feeds

Groupon India publishes 300,000 user passwords

Stored in the clear, indexed by Google

Protecting against web application threats using SSL

Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google.

The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, he said Tuesday. He contacted Patrick Gray with security blog Risky Biz, which reported that the SQL database contained the details for 300,000 Sosasta account holders.

A Groupon spokesman confirmed that the digital coupon distributor “was alerted to a security issue” on Thursday night and corrected the problem immediately. The issue was limited to Sosasta, which uses its own servers and network and isn't connected to Groupon's systems in other countries.

“We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible,” the spokesman said in a statement. “We will keep our Indian subscribers fully informed as we learn more.”

At time of writing, there was no advisory on either the Groupon or Sosasta websites, although Sosasta's Facebook page contained a notice that came in the form of a JPG image that couldn't easily be indexed by Google or other search engines. Ah the irony.

According to Risky Biz, Grzelak found the massive cache as he was looking for additions to shouldichangemypassword.com, a side project that indexes email addresses included in more than a dozen high-profile privacy breaches carried out by LulzSec and other hacking groups. The query that hit pay dirt included the terms “filetype:sql” “password” and “gmail.”

“I started scrolling, and scrolling and I couldn't get to the bottom of the file,” Grzelak told Risky Biz. “Then I realised how big it actually was.”

The Groupon statement didn't say why passwords weren't encrypted or why such a sensitive file was publicly available.

The snafu is the latest to expose the folly of using the same password on more than one site, a practice still followed by a shockingly high number of people. If you're one of them, you ought to consider using a password-management program such as Password Safe or KeePass.

The Groupon subsidiary sure isn't the first to carelessly expose data it has promised to keep private, and judging from this Google search, it's probably not the last. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.