shakes head
inflated valuation, ipo, shady CEO, what next? I'm tellin ya, every time I see the name "Groupon" the ensuing articles just get funnier.
Groupon India publishes 300,000 user passwords
Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google. The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, …
This topic is closed for new posts.
Really, really, pathetic
Any programmers involved should be fired and shot.
@da_fish27
"Any programmers involved should be fired and shot."
Team responsible no doubt have a CMM 5 certificate.
@da_fish27
We outsource a lot of coding to a certain very large Indian operation. Some of the code that comes back is truly shocking, as in; "the person wot wrote this is obviously a clueless fucktard of the highest order".
It may be cheap, but you get exactly what you paid for.....
Not much wrong with using the same password
for sites where you don't care about security much - this one for instance, & a lot of other news forums etc. The ones to be very careful with are the obvious - anything with the slightest connection to money/identity.
Groupon are a class act, though. A slow train wreck.
Not so fast: Not much wrong with using the same password
Yes there is.
1. Let's say 10,000 people use same username (gmail id) / same password for useless sites like
el reg and xnet and groupon subsidiaries. (But a totally diff one for gmail, bank, etc).
2. xnet, being a more security conscious than el reg, ups the security by asking a few personal questions in case you lose your password such as "Where was first time you had anal sex" etc.
3. groupon subsidiary loses all the passwords.
4. 10000 xnet and el reg accounts are hacked, no problem.
5. but out of those 10k lusers, 50% of them have the same security question at bank/gmail etc.
- So 5000 lusers give away access to their bank/gmail etc by losing gorupon -> xnet -> bank.
@alwarming
One would assume that if someone is security conscious enough not to use the same username//password for sites that matter they would also chose a different security question or do what I do, when forced to chose a question answer a load of garbage then forget it
Yes, because you can always choose your security questions.
So you have different security questions everywhere? Very probable.
And those people who are just doing as they're told, they circumvent this trap by filling in garbage (as opposed to something sensible, like a password management tool, or nothing at all)? Even more probable.
Same
Any site insisting on a security question gets something like "lbbyiyiuhjhffjfyj" as an answer. One of my biggest bugbears with Win 7 was it's insistence on entering a password hint.
If a site is important enough for me to actually worry about what happens if I've lost my password, there's a good chance I've a record of the password somewhere.
If sites are going to insist on security questions, they either need to let the user define the question or at least up their game a bit so we can't find the answer with a quick Google search.
Allow me to explain.
- I am talking about 10000 people - deliberately. So there is bound to be a percentage who is
not as security conscious as some of you (who are el reg readers).
. eg: This is not going to happen to people who type "lbbyiyiuhjhffjfyj" for the security answer,
[unless they always type the same string :) ]. But what is the percentage of people who do that ?
. Are questions across sites really unique if you register to over 100 sites over a period of 5-6
years ? "What was your first telephone number " ? "What was your first pet's name" ?
. Combine this with people who have facebook walls open.
Basic reason for me to post was that someone made a suggestion that it's OK to use same password everywhere, while it is not OK for a majority of population to do so,
even though some smart people may get away with it.
And I certainly don't mean to challenge your individual intelligence here.
seeding?
does nobody seed databases anymore to make it easier to track f there is a breach - heck even marketing does this occasionally.
Silver lining?
On the plus side, at least they weren't hacked!
Google is your friend
Just did a search myself; found an sql dump of yet another website, Full user details with passwords stored as simple MD5 hashes... (an online decryptor supplied plain-texts for every one I tried) ... This dated from 2009; What sort of admin puts such things where a search engine can find it, and leaves it there so long too!!
AC@23:05
<--
"What sort of admin puts such things where a search engine can find it, and leaves it there so long too!!"
Not so much an admin as more one of these guys.
As if the hacking wasnt enough.....
we have people literally leaving password lists on the web!!
Paris--because I bet that she would realize that's a bad idea.
Keypass/Keysafe?
Surely the best method for keeping online passwords safe is to have an 'airgap' and write them down on a bit of paper?
Groupon fixed the issue
User-agent: *
Disallow: /slqdatabase
there fixed.
Offshoring: They "just don't get it"
... and that's a good thing, because it keeps us in the UK in jobs, firefighting their appalling output. Problem solving, diligence, honesty, thoroughness, common sense and defensive programming practices are not included in the daily £5 rate of your average Indian offshore whalla. But in the minds of some (GroupOn CIO's), the math somehow stacks up very nicely.
Why are they storing passwords in the first place???
Whoever designed (Especially the ones that call themselves "Architects") their system should immediately be let go. Even newbie web programmers know not to store clear text passwords anywhere, but instead, just store and compare against an MD5 or SHA hash of it.
I don't believe them
> and corrected the problem immediately
OK, so they got in touch with Google did they to get them to delete it from their cache? Or did they just delete the db table? Somehow I don't believe these guys when they make these simple errors that they don't notice but someone else does and they seem to know immediately how to fix it. Wasters.
Password Manager
A password manager will NOT protect against something like this. You could have a 64 digit password and it would not prevent this.
Somewhat missed the point
Using a password manager makes using a different password for hundreds of websites actually possible. It doesn't help for the one specific compromised site but at least it is the only site affected.
This topic is closed for new posts.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Popular Whitepapers
- The BI Inflexion Point
Information is a right, not a privilege - VPN security - if you want it, come and get it
Attention WiFi hotspotters: You want it - The Register Guide to iSCSI
A primer on Internet SCSI, a protocol to transport SCSI commands over IP - Secure Mobile Working
Beyond the Technology - The Impact of IT Security Attitudes
Putting the pieces in place for effective security delivery - The Register guide to unified communications
A primer on the implications of unified communications for enterprise IT
