Groupon India Subsidiary Leaks 300,000 Plain Text User Passwords

Use Netsparker

Oh look! Another data-leak, this was was pretty bad as it contained plain-text passwords (who on earth doesn’t hash their passwords in the DB in 2011?!).

Anyway this time it was a Groupon subsidary – which managed to leak the e-mail addresses and plain-text passwords for 300,000 users AND on top of that, Google managed to index it.

The original story was published here:

Groupon leaks entire Indian user database

The leak was discovered by Australian security consultant Daniel Grzelak.

Groupon subsidiary accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google.

The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, he said Tuesday. He contacted Patrick Gray with security blog Risky Biz, which reported that the SQL database contained the details for 300,000 Sosasta account holders.

A Groupon spokesman confirmed that the digital coupon distributor “was alerted to a security issue” on Thursday night and corrected the problem immediately. The issue was limited to Sosasta, which uses its own servers and network and isn’t connected to Groupon’s systems in other countries.

“We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible,” the spokesman said in a statement. “We will keep our Indian subscribers fully informed as we learn more.”

At least this time it seems like someone messed up rather than a hack by LulzSec or Anonymous. And it’s good to see an organization react quickly and responsibly to such an information disclosure, this is sadly a rather rare attribute.

The issue was limited to Sosata and did not effect any Groupon sites in other countries. Sosata users have been notified to change their passwords in the system, and I hope for their sakes not too much password re-use is going on.

I still don’t see the fact that the passwords were un-hashed being addressed anywhere though, doesn’t that concern anyone other than me?

At time of writing, there was no advisory on either the Groupon or Sosasta websites, although Sosasta’s Facebook page contained a notice that came in the form of a JPG image that couldn’t easily be indexed by Google or other search engines. Ah the irony.

According to Risky Biz, Grzelak found the massive cache as he was looking for additions to, a side project that indexes email addresses included in more than a dozen high-profile privacy breaches carried out by LulzSec and other hacking groups. The query that hit pay dirt included the terms “filetype:sql” “password” and “gmail.”

“I started scrolling, and scrolling and I couldn’t get to the bottom of the file,” Grzelak told Risky Biz. “Then I realised how big it actually was.”

The Groupon statement didn’t say why passwords weren’t encrypted or why such a sensitive file was publicly available.

The snafu is the latest to expose the folly of using the same password on more than one site, a practice still followed by a shockingly high number of people. If you’re one of them, you ought to consider using a password-management program such as Password Safe or KeePass.

For developers – http auth/password protected directories are good! Hashing passwords is good! Leaking sensitive info is BAD!

Sincerely I doubt anyone reading this site re-uses simplistic passwords for their online accounts – but just in case you do – or know anyone that does – I do recommend using Password Safe or KeePass anyway, keep that shizzle secure yo!

Anyway, I wonder if anyone is going to sue over this?

Source: The Register

Posted in: Legal Issues, Privacy

, ,

Latest Posts:

Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

5 Responses to Groupon India Subsidiary Leaks 300,000 Plain Text User Passwords

  1. vikram June 29, 2011 at 12:29 pm #

    amazing….. in today’s world … storing plain text password…..

    you is the IT company behind them… they should be executed (like they do in china)…. no mercy….

    i thought IT stands for Indian Talent but this is shameful.

  2. Wojtek June 29, 2011 at 7:48 pm #

    As you mentionned KeePass and Password Safe, another great product to consider is
    I do not have any relationshipwith them, just a very happy user.

  3. johnp_80 June 30, 2011 at 5:28 am #

    Plain Text? seriously?
    Another good option is KeepassX, its been cross platform supporting a lot longer than Keepass, and doesn’t paint a bullseye on itself like LasPass

  4. Bogwitch June 30, 2011 at 10:24 am #

    “Hashing passwords is good!”

    Hashing passwords is better than leaving them in plaintext, for sure but a simple hashing is not sufficient. We have seen recent hacks, Bitcoin for example, that had hashed passwords but the passwords were easily cracked.
    If you are going to store passwords in a database, and if you’re running a site where users are going to log on you’ll probably have to, you need to run a hashing algorithm multiple times to slow down an adversaries attempt to extract the passwords from the hashes. My most recent site has the hash algorithm run for over 1,000, less than 10,000 times. Sure, there’s additional load on the server but far better than the exposure of account passwords IMO.

    • Darknet July 1, 2011 at 5:53 am #

      Yah I agree, but mostly it’s like this – just make the passwords hard enough to crack so that after a compromise you can everyone to change their passwords in the time before they get cracked. Multiple hashing sure does help (especially if you mix algorithms), and will really slow down extraction. Best of all, don’t let anyone get hold of the hashes in the first place..