All 300,000 users of the company's India-based subsidiary, SoSasta, received a message urging them to quickly change their passwords
Australian security consultant Daniel Grzelak was trolling Google a few days ago when he came across a massive file with the email address and passwords for hundreds of thousands of SoSasta users. He notified the company, which is Groupon's India-based subsidiary, immediately and SoSasta sent out a message to its customers.
"Over this weekend, we've been alerted to a security issue potentially affecting subscribers of SoSasta. We wanted to let you know that the issue has been brought under control and your accounts are secure," the note read. "However, as a precautionary measure, we recommend that you change your SoSasta password immediately, by visiting the SoSasta website...." The message took extra care to rely the information calmly and keep any concerned parties from assuming the worst. "Please be aware that none of your financial information (Credit Card, Debit Card, NetBanking etc.) has been compromised since this information is not stored on SoSasta, as per law," the note added. (The full text of the email is available here.)
But had any of that information been stored on SoSasta's servers, it probably would have been leaked along with everything else for the 300,000 affected customers. All of that information could still be at risk, though. What SoSasta failed to tell its customers -- and that email didn't even make it into everyone's inbox, according to ZDNET's India IT blog -- is that the information was indexed by Google and available to anybody. Should those account names and passwords be linked on any other sites, access will be granted to anybody attempting to gain access. (And we really shouldn't, but who doesn't use the same login information for more than one site?)