Groupon’s Indian Partner Accidentally Publishes User Database to Google

By Kenna McHugh Comment


“A few hours and tweaks later, this database came up,” Australian security consultant Daniel Grzelak told Risky.Biz. “I started scrolling and scrolling and I couldn’t get to the bottom of the file. Then I realized how big it actually was.”

Grzelak is referring to the whole user database of Groupon’s Indian subsidiary The database was accidentally published onto the Internet, and then indexed by Google. The database consisted of e-mail addresses and clear-text passwords of the site’s 300,000 users. Grzelak discovered the leak while he was searching for publicly accessible databases containing e-mail address and password pairs.

Grzelak worked as a security consultant with Australian information security company Stratsec before leaving for a new career at a start-up gaming media company with two associates. He developed shouldichangemypassword, a website that enables “any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised.”

Grzelak was performing a standard search with the intent to expose more compromised accounts. He does this periodically in order to add more to the website’s database. Then, he stumbled across the Sosasta database. He contacted Risky.Biz to see what he should do with his new discovery. Risky.Biz contacted Groupon and CEO Andrew Mason called back within 24 hours.

Needless to say, the compromised database was remover right away. Groupon is running an internal investigation to find out how it could possibly happen that the database became publicly accessible. Sosasta users were notified of the breach and advised of the situation about their accounts no longer being secured.

Interestingly, Grzelak claims this type of incident is quite common. He told Risky.Biz “There are thousands of these databases indexed by Google,” he said. “This just happened to be by far the biggest I found.”

Groupon submitted a statement in regards to the breach of security:

On Friday morning India time (Thursday night Central US time), Groupon was alerted to a security issue potentially affecting subscribers of Sosasta, a website acquired by Groupon in January 2011.

After being alerted to this issue by an information security expert, we corrected the problem immediately. We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.

Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries.

This issue does not affect data from any other country or region.

Groupon takes security and privacy very seriously. Our users’ trust is of paramount importance to us and we deeply regret this incident. We will provide more information as soon as possible.

It’s interesting that leaks of secure information on the internet happen in general, which causes one to pause and wonder how these leaks can be prevented since they are so common.