Feeds

back to article Groupon India publishes 300,000 user passwords

Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google. The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, …

COMMENTS

This topic is closed for new posts.
Bronze badge

shakes head

inflated valuation, ipo, shady CEO, what next? I'm tellin ya, every time I see the name "Groupon" the ensuing articles just get funnier.

3
0
Silver badge

The question is

Will spammers be giving 50% off discounts

5
0
FAIL

Really, really, pathetic

Any programmers involved should be fired and shot.

1
0
Gold badge
Unhappy

@da_fish27

"Any programmers involved should be fired and shot."

Team responsible no doubt have a CMM 5 certificate.

0
0
Thumb Up

@da_fish27

We outsource a lot of coding to a certain very large Indian operation. Some of the code that comes back is truly shocking, as in; "the person wot wrote this is obviously a clueless fucktard of the highest order".

It may be cheap, but you get exactly what you paid for.....

1
0
Facepalm

Not much wrong with using the same password

for sites where you don't care about security much - this one for instance, & a lot of other news forums etc. The ones to be very careful with are the obvious - anything with the slightest connection to money/identity.

Groupon are a class act, though. A slow train wreck.

3
0
Bronze badge
FAIL

Not so fast: Not much wrong with using the same password

Yes there is.

1. Let's say 10,000 people use same username (gmail id) / same password for useless sites like

el reg and xnet and groupon subsidiaries. (But a totally diff one for gmail, bank, etc).

2. xnet, being a more security conscious than el reg, ups the security by asking a few personal questions in case you lose your password such as "Where was first time you had anal sex" etc.

3. groupon subsidiary loses all the passwords.

4. 10000 xnet and el reg accounts are hacked, no problem.

5. but out of those 10k lusers, 50% of them have the same security question at bank/gmail etc.

- So 5000 lusers give away access to their bank/gmail etc by losing gorupon -> xnet -> bank.

1
2
Alien

@alwarming

One would assume that if someone is security conscious enough not to use the same username//password for sites that matter they would also chose a different security question or do what I do, when forced to chose a question answer a load of garbage then forget it

0
0
FAIL

Yes, because you can always choose your security questions.

So you have different security questions everywhere? Very probable.

And those people who are just doing as they're told, they circumvent this trap by filling in garbage (as opposed to something sensible, like a password management tool, or nothing at all)? Even more probable.

0
0
Anonymous Coward

Same

Any site insisting on a security question gets something like "lbbyiyiuhjhffjfyj" as an answer. One of my biggest bugbears with Win 7 was it's insistence on entering a password hint.

If a site is important enough for me to actually worry about what happens if I've lost my password, there's a good chance I've a record of the password somewhere.

If sites are going to insist on security questions, they either need to let the user define the question or at least up their game a bit so we can't find the answer with a quick Google search.

0
0
Bronze badge

Allow me to explain.

- I am talking about 10000 people - deliberately. So there is bound to be a percentage who is

not as security conscious as some of you (who are el reg readers).

. eg: This is not going to happen to people who type "lbbyiyiuhjhffjfyj" for the security answer,

[unless they always type the same string :) ]. But what is the percentage of people who do that ?

. Are questions across sites really unique if you register to over 100 sites over a period of 5-6

years ? "What was your first telephone number " ? "What was your first pet's name" ?

. Combine this with people who have facebook walls open.

Basic reason for me to post was that someone made a suggestion that it's OK to use same password everywhere, while it is not OK for a majority of population to do so,

even though some smart people may get away with it.

And I certainly don't mean to challenge your individual intelligence here.

0
1
Anonymous Coward

seeding?

does nobody seed databases anymore to make it easier to track f there is a breach - heck even marketing does this occasionally.

1
0
Pint

Silver lining?

On the plus side, at least they weren't hacked!

0
0
Anonymous Coward

Google is your friend

Just did a search myself; found an sql dump of yet another website, Full user details with passwords stored as simple MD5 hashes... (an online decryptor supplied plain-texts for every one I tried) ... This dated from 2009; What sort of admin puts such things where a search engine can find it, and leaves it there so long too!!

1
0
Gold badge
Gimp

AC@23:05

<--

"What sort of admin puts such things where a search engine can find it, and leaves it there so long too!!"

Not so much an admin as more one of these guys.

0
0
Silver badge
Paris Hilton

As if the hacking wasnt enough.....

we have people literally leaving password lists on the web!!

Paris--because I bet that she would realize that's a bad idea.

1
0
Coffee/keyboard

Keypass/Keysafe?

Surely the best method for keeping online passwords safe is to have an 'airgap' and write them down on a bit of paper?

0
2
Joke

Groupon fixed the issue

User-agent: *

Disallow: /slqdatabase

there fixed.

1
0
Happy

Offshoring: They "just don't get it"

... and that's a good thing, because it keeps us in the UK in jobs, firefighting their appalling output. Problem solving, diligence, honesty, thoroughness, common sense and defensive programming practices are not included in the daily £5 rate of your average Indian offshore whalla. But in the minds of some (GroupOn CIO's), the math somehow stacks up very nicely.

2
0
Big Brother

Why are they storing passwords in the first place???

Whoever designed (Especially the ones that call themselves "Architects") their system should immediately be let go. Even newbie web programmers know not to store clear text passwords anywhere, but instead, just store and compare against an MD5 or SHA hash of it.

1
0
FAIL

md5?

google filetype:sql e10adc3949ba59abbe56e057f20f883e

1
0
Anonymous Coward

Awesome

uneffinbelievable...

now delete it!

0
0
FAIL

I don't believe them

> and corrected the problem immediately

OK, so they got in touch with Google did they to get them to delete it from their cache? Or did they just delete the db table? Somehow I don't believe these guys when they make these simple errors that they don't notice but someone else does and they seem to know immediately how to fix it. Wasters.

0
0
Anonymous Coward

Password Manager

A password manager will NOT protect against something like this. You could have a 64 digit password and it would not prevent this.

0
0

Somewhat missed the point

Using a password manager makes using a different password for hundreds of websites actually possible. It doesn't help for the one specific compromised site but at least it is the only site affected.

0
0
This topic is closed for new posts.