The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google.
The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.
Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.
“A few hours and tweaks later, this database came up,” he said. “I started scrolling, and scrolling and I couldn’t get to the bottom of the file. Then I realised how big it actually was.”
Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact.
The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place.
Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts.