Slashdot Mirror

← Back to Stories (view on slashdot.org)

Groupon Deal of the Day: 300,000 Customer Accounts

Posted by samzenpus on from the good-deal dept.

itwbennett writes "The customer database of Groupon's Indian subsidiary was published, unsecured and unencrypted, on the company's site for long enough to indexed by Google. Australian security consultant Daniel Grzelak, Tweeted the news and also notified Groupon, which 'was amazing at providing a swift and full response,' Grzelak said on Twitter. 'They deserve credit for their reaction.'"

17 of 90 comments (clear)

  1. Credit Where Credit Is Due by jimmerz28 · · Score: 5, Insightful

    I guess they also "deserve credit" for allowing it to occur in the first place?

    1. Re:Credit Where Credit Is Due by phantomfive · · Score: 4, Insightful

      Exactly. If you really stretch, putting the user-names online could be considered an (unusually bad) accident. But storing unhashed passwords anywhere is inexcusable. This is basically an announcement to the world that they have no security practices whatsoever.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Credit Where Credit Is Due by ByOhTek · · Score: 3, Interesting

      In general practice, things that target cheapskates for money tend to be *very* poor quality in any area where dropping quality shaves off a buck of cost - the profit margins tend to be low, and every saved dollar is necessary. Better to stay in business until caught, than make no profit at all.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    3. Re:Credit Where Credit Is Due by jimmerz28 · · Score: 2

      If I had said they "only" deserve this credit than maybe you'd have a point, however, I said "also" since this article was supposed to be a sweeping appraisal of a response to a rather disgusting action. They deserve credit for both actions, not just their "brush this under the rug asap".

    4. Re:Credit Where Credit Is Due by ByOhTek · · Score: 3, Interesting

      bullshit on #2.

      I admin a closed sourced app with a web portal, and I can tell you the passwords are damn well hashed and salted. It doesn't take much having to fiddle around with the various data files enough in the lines of customizing things, to see where and how the passwords are stored.

      In other cases, where the database is used to store this, the user account table(s) in the database usually have a cryptically named column such as "pass", "pass _hash", etc. that couldn't have anything to do with the password...

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    5. Re:Credit Where Credit Is Due by Qzukk · · Score: 4, Insightful

      2) unless the site backend is open source, you don't even know whether passwords are hashed unless it gets hacked

      I tell it I forgot my password. If it emails the password back to me, it's stored as good as plain text. Then I change it to line noise and never go back.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    6. Re:Credit Where Credit Is Due by TheSpoom · · Score: 2

      Plus, to encrypt client-side, you'd have to give away your salt.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
  2. Yay? by Daetrin · · Score: 3, Insightful

    Well the one good thing we definitely seem to have gotten out of the Sony fiasco is the corporate realization that any company with a significant "social" or consumer side is much better off announcing at least some details as quickly as possible as soon as they realize they've been hacked.

    One hopes that those same corporations have _also_ learned that better security is necessary, but even if they have we're not going to see the effects of _that_ lesson for awhile.

    --
    This Space Intentionally Left Blank
  3. They deserve credit? by zill · · Score: 3, Insightful

    'They deserve credit for their reaction.'

    That's like saying if I quickly pull the knife out after stabbing someone, I deserve credit for my quick reaction.

    1. Re:They deserve credit? by callmebill · · Score: 2

      Or more like, you gave the car and keys to the valet, and they left the keys in the car while they dozed at their post. Your car (or your GPS) was stolen.

  4. Re:Oh for the love of ! by just_another_sean · · Score: 2

    Yeah, except for in this case the "hackers" were Google. Will anyone pay attention to shoddy security on the web now or we will see new legislation introduced that makes indexing the web illegal? At this point, as absurd as that statement sounds, I just don't know.

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  5. Daily Deal! by Compaqt · · Score: 3, Funny

    1-day only Groupon:

    100% off on the India customer list

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:Daily Deal! by Lev13than · · Score: 3, Informative

      It won't be quite that bad - experts predicted that over 1/3 of the passwords will never get used.

      --
      When you have nothing left to burn you must set yourself on fire
  6. Re:Groupon India? by vlm · · Score: 2

    Whoops, I suppose I should have checked todays offers before posting.

    We have a $50 basic car detailing marked up to $210 then back down as a deal to $75 a mere 25 miles from my house in a scary neighborhood, a "detoxifying foot bath" sounds like just a step above patent medicines and faith healing, and a speed reading class 30 miles from home that normally retails for a mere $40/hour (WTF? $40/hr for a reading class?) and now is "on sale" for a mere $10/hr.

    I guess they pulled the sun tan salons when they realized its warm enough to ... just lay outside.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  7. Re:Oh for the love of ! by Monchanger · · Score: 2

    Lately? Security has never been a sufficiently significant concern to managers or even technical people. Do you think decades-old problems like SQL injections and buffer overflows are extinct? And this "security breach" was a matter of putting sensitive data in a publicly accessible directory.

    I blame our short-term memory for this epidemic. The prevalence of short-term thinking (you want how many billion bloody dollars for this unproven business model???) likely deserves some "credit" too.

  8. Re:Oh for the love of ! by JonySuede · · Score: 3, Insightful

    I feel like I am into bizzaro world as this phrase now evaluate to true....

    --
    Jehovah be praised, Oracle was not selected
  9. Re:Time to blame Google for hacking! by iiiears · · Score: 2

    @DigiShaman Exactly.

    If your favorite site has leaked passwords a quick search will find a dozen sites with lists.
    Curious about what a typical "secret" "password" is this site will tell you in "1234567" "hunter2"
    http://stormsecurity.wordpress.com/2009/10/12/check-if-your-email-account-has-been-exposed/

    --
    15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)