Groupon Subsidiary Accidentally Leaks User Password Database

All 300,000 users of the company's India-based subsidiary, SoSasta, received a message urging them to quickly change their passwords


Australian security consultant Daniel Grzelak was trolling Google a few days ago when he came across a massive file with the email address and passwords for hundreds of thousands of SoSasta users. He notified the company, which is Groupon's India-based subsidiary, immediately and SoSasta sent out a message to its customers.

"Over this weekend, we've been alerted to a security issue potentially affecting subscribers of SoSasta. We wanted to let you know that the issue has been brought under control and your accounts are secure," the note read. "However, as a precautionary measure, we recommend that you change your SoSasta password immediately, by visiting the SoSasta website...." The message took extra care to rely the information calmly and keep any concerned parties from assuming the worst. "Please be aware that none of your financial information (Credit Card, Debit Card, NetBanking etc.) has been compromised since this information is not stored on SoSasta, as per law," the note added. (The full text of the email is available here.)

But had any of that information been stored on SoSasta's servers, it probably would have been leaked along with everything else for the 300,000 affected customers. All of that information could still be at risk, though. What SoSasta failed to tell its customers -- and that email didn't even make it into everyone's inbox, according to ZDNET's India IT blog -- is that the information was indexed by Google and available to anybody. Should those account names and passwords be linked on any other sites, access will be granted to anybody attempting to gain access. (And we really shouldn't, but who doesn't use the same login information for more than one site?)

With hacking on the rise and the emergence of collectives dedicated to breaking into sites and networks and stealing private information just "for the lulz," we've reached a point where some companies receive less backlash for security breaches than one might expect. When Gawker's database was compromised it didn't seem to take a big hit in readership or support. But how will SoSasta customers react when they realize that this past weekend's leak appears to have just been an accident on Groupon's part as opposed to the work of a malicious outsider?

For what it's worth, Groupon told the Risky Business blog that, because SoSasta, which was acquired by the larger company only about six months ago, runs on its own servers and platform, the leak won't affect any customers in the United States.