June 29, 2011, 10:33 AM —
If you really stretch, putting the user-names online could be considered an (unusually bad) accident. But storing unhashed passwords anywhere is inexcusable. This is basically an announcement to the world that they have no security practices whatsoever.
Consumers and security experts worried hackers motivated by either criminal or political-activist intentions will breach their security and steal databases of customer-account information needn't worry, following an incident at Groupon's Indian subsidiary.
The customer database of Groupon subsidiary SoSasta was published unsecured and unencrypted on the company's site for long enough to be part of a routine Google index of the site according to Australian security consultant Daniel Grzelak, who Tweeted the news late Tuesday and tipped off an Australian security news site.
[Also see: Ganging up on Groupon]
He also notified Groupon, which "was amazing at providing a swift and full response," Grzelak Tweeted. "They deserve credit for their reaction."
Grzelak has "no idea" how the data came to be published, or for how long it was available online.
Groupon isn't saying providing any more details, at least so far.
"We removed the information that had been unintentionally shared," a Groupon spokesman told Reuters.
"After being alerted to this issue by an information security expert, we corrected the problem immediately," Groupon said in its only public statement so far.
"We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.
Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries.