back to article Groupon India publishes 300,000 user passwords

Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google. The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, …

COMMENTS

This topic is closed for new posts.
  1. zen1

    shakes head

    inflated valuation, ipo, shady CEO, what next? I'm tellin ya, every time I see the name "Groupon" the ensuing articles just get funnier.

  2. DrXym

    The question is

    Will spammers be giving 50% off discounts

  3. da_fish27
    FAIL

    Really, really, pathetic

    Any programmers involved should be fired and shot.

    1. John Smith 19 Gold badge
      Unhappy

      @da_fish27

      "Any programmers involved should be fired and shot."

      Team responsible no doubt have a CMM 5 certificate.

    2. Anonymous Coward
      Thumb Up

      @da_fish27

      We outsource a lot of coding to a certain very large Indian operation. Some of the code that comes back is truly shocking, as in; "the person wot wrote this is obviously a clueless fucktard of the highest order".

      It may be cheap, but you get exactly what you paid for.....

  4. kissingthecarpet
    Facepalm

    Not much wrong with using the same password

    for sites where you don't care about security much - this one for instance, & a lot of other news forums etc. The ones to be very careful with are the obvious - anything with the slightest connection to money/identity.

    Groupon are a class act, though. A slow train wreck.

    1. alwarming
      FAIL

      Not so fast: Not much wrong with using the same password

      Yes there is.

      1. Let's say 10,000 people use same username (gmail id) / same password for useless sites like

      el reg and xnet and groupon subsidiaries. (But a totally diff one for gmail, bank, etc).

      2. xnet, being a more security conscious than el reg, ups the security by asking a few personal questions in case you lose your password such as "Where was first time you had anal sex" etc.

      3. groupon subsidiary loses all the passwords.

      4. 10000 xnet and el reg accounts are hacked, no problem.

      5. but out of those 10k lusers, 50% of them have the same security question at bank/gmail etc.

      - So 5000 lusers give away access to their bank/gmail etc by losing gorupon -> xnet -> bank.

      1. Anonymous Coward
        Alien

        @alwarming

        One would assume that if someone is security conscious enough not to use the same username//password for sites that matter they would also chose a different security question or do what I do, when forced to chose a question answer a load of garbage then forget it

        1. Marvin the Martian
          FAIL

          Yes, because you can always choose your security questions.

          So you have different security questions everywhere? Very probable.

          And those people who are just doing as they're told, they circumvent this trap by filling in garbage (as opposed to something sensible, like a password management tool, or nothing at all)? Even more probable.

          1. Anonymous Coward
            Anonymous Coward

            Same

            Any site insisting on a security question gets something like "lbbyiyiuhjhffjfyj" as an answer. One of my biggest bugbears with Win 7 was it's insistence on entering a password hint.

            If a site is important enough for me to actually worry about what happens if I've lost my password, there's a good chance I've a record of the password somewhere.

            If sites are going to insist on security questions, they either need to let the user define the question or at least up their game a bit so we can't find the answer with a quick Google search.

            1. alwarming

              Allow me to explain.

              - I am talking about 10000 people - deliberately. So there is bound to be a percentage who is

              not as security conscious as some of you (who are el reg readers).

              . eg: This is not going to happen to people who type "lbbyiyiuhjhffjfyj" for the security answer,

              [unless they always type the same string :) ]. But what is the percentage of people who do that ?

              . Are questions across sites really unique if you register to over 100 sites over a period of 5-6

              years ? "What was your first telephone number " ? "What was your first pet's name" ?

              . Combine this with people who have facebook walls open.

              Basic reason for me to post was that someone made a suggestion that it's OK to use same password everywhere, while it is not OK for a majority of population to do so,

              even though some smart people may get away with it.

              And I certainly don't mean to challenge your individual intelligence here.

  5. Anonymous Coward
    Anonymous Coward

    seeding?

    does nobody seed databases anymore to make it easier to track f there is a breach - heck even marketing does this occasionally.

  6. Big Bear
    Pint

    Silver lining?

    On the plus side, at least they weren't hacked!

  7. Anonymous Coward
    Anonymous Coward

    Google is your friend

    Just did a search myself; found an sql dump of yet another website, Full user details with passwords stored as simple MD5 hashes... (an online decryptor supplied plain-texts for every one I tried) ... This dated from 2009; What sort of admin puts such things where a search engine can find it, and leaves it there so long too!!

    1. John Smith 19 Gold badge
      Gimp

      AC@23:05

      <--

      "What sort of admin puts such things where a search engine can find it, and leaves it there so long too!!"

      Not so much an admin as more one of these guys.

  8. Anonymous Coward
    Paris Hilton

    As if the hacking wasnt enough.....

    we have people literally leaving password lists on the web!!

    Paris--because I bet that she would realize that's a bad idea.

  9. Sonny Jim
    Coffee/keyboard

    Keypass/Keysafe?

    Surely the best method for keeping online passwords safe is to have an 'airgap' and write them down on a bit of paper?

  10. Anonymous Coward
    Joke

    Groupon fixed the issue

    User-agent: *

    Disallow: /slqdatabase

    there fixed.

  11. Gerrit Hoekstra
    Happy

    Offshoring: They "just don't get it"

    ... and that's a good thing, because it keeps us in the UK in jobs, firefighting their appalling output. Problem solving, diligence, honesty, thoroughness, common sense and defensive programming practices are not included in the daily £5 rate of your average Indian offshore whalla. But in the minds of some (GroupOn CIO's), the math somehow stacks up very nicely.

  12. Anonymous Coward
    Big Brother

    Why are they storing passwords in the first place???

    Whoever designed (Especially the ones that call themselves "Architects") their system should immediately be let go. Even newbie web programmers know not to store clear text passwords anywhere, but instead, just store and compare against an MD5 or SHA hash of it.

    1. irrelevant
      FAIL

      md5?

      google filetype:sql e10adc3949ba59abbe56e057f20f883e

      1. Anonymous Coward
        Anonymous Coward

        Awesome

        uneffinbelievable...

        now delete it!

  13. Dr Wheetos
    FAIL

    I don't believe them

    > and corrected the problem immediately

    OK, so they got in touch with Google did they to get them to delete it from their cache? Or did they just delete the db table? Somehow I don't believe these guys when they make these simple errors that they don't notice but someone else does and they seem to know immediately how to fix it. Wasters.

  14. Anonymous Coward
    Anonymous Coward

    Password Manager

    A password manager will NOT protect against something like this. You could have a 64 digit password and it would not prevent this.

    1. Luckyrat

      Somewhat missed the point

      Using a password manager makes using a different password for hundreds of websites actually possible. It doesn't help for the one specific compromised site but at least it is the only site affected.

This topic is closed for new posts.

Other stories you might like