Groupon India Leaks User Database Via Google Search [E-Mails And Plain-Text Passwords]
Groupon, the online group deals giant recently made it's entry into India with the acquisition of an Indian group deals website called SoSasta.com. And the very first serious hurdle which Groupon has faced in India is the leak of it's Indian users database online. The entire database of 300,000 users on SoSasta.com (Groupon's India Subsidiary), which was stored as an sql file became accessible by the website and was indexed by Google.
The bitter part of this leak is that the database contained e-mail addresses and passwords in clear-text of all the 300,000 users on the Website. Now, in spite of so many hack attacks going around the world, how can any one be so casual to store their user's passwords in clear-text and not hash or salt them. However, Groupon users worldwide have not been affected as this database was not connected in anyway to Groupon's global database.
We had earlier told you how India’s Leading Payment Gateway “CCAvenue” was hacked.
But thankfully this leak was discovered by an Australian security consultant Daniel Grzelak who immediately contacted the CEO of Groupon, Andrew Mason with the help Risky.Biz.
Groupon's CEO personally called back within 24 hours and the database was removed immediately. Groupon has now notified all it's SoSasta.com users about the incident and has asked them to change all their passwords on other websites. However, the website's front page has no mention about the leak anywhere.
Daniel Grzelak, who first discovered this leak, runs a website called shouldichangemypassword.com as side project. This website has leaked or stolen account information about 1.3 million records from the recent high-profile security breaches and lets users search the database for their e-mail addresses to see if their accounts have been compromised.
Grzelak was searching for more such accounts to be added to the database of his website, when he came across the SoSasta.com database on Google. Here is a quick tip for webmasters which shows how to prevent search engines like Google and Bing from indexing any database dumps or SQL files on your website.
Thanks Patrick for the tip