Consumers and security experts worried hackers motivated by either criminal or political-activist intentions will breach their security and steal databases of customer-account information needn't worry, following an incident at Groupon's Indian subsidiary.
The customer database of Groupon subsidiary SoSasta was published unsecured and unencrypted on the company's site for long enough to be part of a routine Google index of the site according to Australian security consultant Daniel Grzelak, who Tweeted the news late Tuesday and tipped off an Australian security news site.
He also notified Groupon, which "was amazing at providing a swift and full response," Grzelak Tweeted. "They deserve credit for their reaction."
Grzelak has "no idea" how the data came to be published, or for how long it was available online.
Groupon isn't saying providing any more details, at least so far.
"We removed the information that had been unintentionally shared," a Groupon spokesman told Reuters.
"After being alerted to this issue by an information security expert, we corrected the problem immediately," Groupon said in its only public statement so far. "We have begun notifying our subscribers and advising them to change their SoSasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries. We are thoroughly reviewing our security procedures for Sosasta and are implementing measures designed to prevent this kind of issue from recurring. This issue does not affect data from any other country or region. "
SoSasta posted a notice on its Facebook account saying it had fixed a security issue and that no financial information such as credit-card numbers were compromised, but that customers should change their passwords on Groupon and any sites on which they used similar passwords.
The database included passwords and email addresses for more than 300,000 Groupon customers.
Grzelak found the site while doing Google searches for publicly accessible sites with keywords such as "password" and "gmail."
Grzelak was looking for private-account data exposed by hackers or just bad security, to expand the data fueling a site he built called ShouldIChangeMyPassword, which contains data from 17 major recent corporate-data breaches. It checks email addresses and login names against lists of compromised accounts to tell users whether they were part of any major data breaches, whether publicly acknowledged or not.
Even knowing what he was looking for, Grzelak was surprised when the Groupon data came up.
"I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realized how big it actually was," he told Risky.biz.
Groupon filed a $750 million initial public offering earlier this month, though the WSJ predicts that number is "just a placeholder" in the paperwork and the real amount could be more than $1 billion, at a total valuation of $20 billion.
Not bad for a company that gives away its customer-account data.