Forgot your password?
typodupeerror
Security IT

Groupon Deal of the Day: 300,000 Customer Accounts 90

Posted by samzenpus
from the good-deal dept.
itwbennett writes "The customer database of Groupon's Indian subsidiary was published, unsecured and unencrypted, on the company's site for long enough to indexed by Google. Australian security consultant Daniel Grzelak, Tweeted the news and also notified Groupon, which 'was amazing at providing a swift and full response,' Grzelak said on Twitter. 'They deserve credit for their reaction.'"
This discussion has been archived. No new comments can be posted.

Groupon Deal of the Day: 300,000 Customer Accounts

Comments Filter:
  • by jimmerz28 (1928616) on Wednesday June 29, 2011 @01:13PM (#36613042)
    I guess they also "deserve credit" for allowing it to occur in the first place?
    • by phantomfive (622387) on Wednesday June 29, 2011 @01:21PM (#36613154) Journal
      Exactly. If you really stretch, putting the user-names online could be considered an (unusually bad) accident. But storing unhashed passwords anywhere is inexcusable. This is basically an announcement to the world that they have no security practices whatsoever.
      • by ByOhTek (1181381) on Wednesday June 29, 2011 @01:54PM (#36613574) Journal

        In general practice, things that target cheapskates for money tend to be *very* poor quality in any area where dropping quality shaves off a buck of cost - the profit margins tend to be low, and every saved dollar is necessary. Better to stay in business until caught, than make no profit at all.

      • I think it's right to go further and say that in general recording your users' passwords without suitably salting them and passing them through a secure hasing algorithm is, unless you have an extremely robust justification, antiethical to claims or basic IT security competency.

        Tid bit: I remember an application once (perhaps a linux distribution?) that had an embarrassing bug where the installer asked you to enter a password and which could end up recorded in a log file. Silly errors always trounce best pr

    • By your logic, every response is the same-- i mean, if they screwed up, who CARES whether they respond quickly and acknowledge the problem? We cant give them an ounce of credit, so they might as well go all out and release the password database too, right?

      Not to minimize the extent of their fail, but seriously, attitudes like yours hardly encourage vendors to respond to breaches and vulnerability reporting responsibly.

      • If I had said they "only" deserve this credit than maybe you'd have a point, however, I said "also" since this article was supposed to be a sweeping appraisal of a response to a rather disgusting action. They deserve credit for both actions, not just their "brush this under the rug asap".
      • We cant give them an ounce of credit

        An ounce of credit doesn't fix several pounds of irresponsible behavior and lax security.

        • A good response to a mistake is a heck of a lot better than no response; this is why Im willing to cut Google some slack after the WiFi foul-up, and cut Microsoft some slack when they make a really decent product. One mistake does not mean the end of any consideration of merit.

          My goodness, I hope you never make any mistakes, if you mean to say (as your statement implies) that there is no return from a screwup.

          • My goodness, I hope you never make any mistakes, if you mean to say (as your statement implies) that there is no return from a screwup.

            Of course I make mistakes, and people (and companies) can make a return from a screw up, but securing user data after it's been made public on Google for the world to see forever after does not make up for the poor design, implementation and security that took place up front. At some point the display of such poor judgement and minimal (if any) skill should make it clear that they shouldn't be in a position of such responsibility in the first place, let alone now.

            If I display such utterly poor judgement

            • ..securing user data after it's been made public on Google for the world to see forever after does not make up for the poor design, implementation and security..

              Neither TFS nor any previous poster said that GroupOn's effective, albeit untimely, response in any way abdicates them from the responsibility for the leak. TFS simply meant that GroupOn's immediate reaction(once they knew what had happened) deserves some consideration.

              they shouldn't be in a position of such responsibility in the first place, let alone now

              I'm guessing that you mean that if a software developer can't write 100% secure software the first time, said developer shouldn't develop software at all?

              the entire management and security team should be replaced

              Please correct me if I'm not understanding this correctly, but it seems to me that you

              • Neither TFS nor any previous poster said that GroupOn's effective, albeit untimely, response in any way abdicates them from the responsibility for the leak. TFS simply meant that GroupOn's immediate reaction(once they knew what had happened) deserves some consideration.

                Too little too late IMHO. Security should never be an afterthought.

                I'm guessing that you mean that if a software developer can't write 100% secure software the first time, said developer shouldn't develop software at all?

                Not what I said and not what I meant. Their 0% security approach is completely unforgivable. Software developers should make every reasonable effort to secure their products, websites and data. Truly 100% secure isn't obtainable because OS, 3rd party software and other vulnerabilities beyond their control come into play.

                Please correct me if I'm not understanding this correctly, but it seems to me that you're advocating strict government oversight of the entire software industry.

                No, I'm advocating strict shareholder oversight of the entire software industry. Management has a responsibility to those w

  • there is a serious issue going on lately in IT. sony, dropbox, now groupon. who's next?
    • by cshark (673578)

      This is what happens when you don't think about security when you build your apps and servers.

    • Yeah, except for in this case the "hackers" were Google. Will anyone pay attention to shoddy security on the web now or we will see new legislation introduced that makes indexing the web illegal? At this point, as absurd as that statement sounds, I just don't know.

      • by marnues (906739)
        That's some obvious FUD if I ever heard it. Google did exactly what Google does. If there is a "hacker", it was the ops team that opened the web server up to a plain text file. I personally find the it disingenuous to call someone a "hacker" in this case. The GP was referencing the poor security of these companies, nothing about hacking or whatever.
    • there is a serious issue going on lately in IT

      Just for clarification: It's the reporting of it that's gone up, not the incidents of it. S'not like everybody decided to downgrade security.

      • Couldn't recent levels of hacking or hacking reports be due to upgraded hacking rather than downgraded security? Maybe I'm wrong, I'm not in the industry, but that seems like basic logic - after Anon, everyone started jumping on the bandwagon. No?
        • D'oh.

          I phrased that reallllly badly. I basically said "the level of hacking is the same" when I was thinking "the vulnerabilities leaving IT available to hacking are the same."

          I'm sorry, you're right. What I said and what I meant were two different things. :/

    • Lately? Security has never been a sufficiently significant concern to managers or even technical people. Do you think decades-old problems like SQL injections and buffer overflows are extinct? And this "security breach" was a matter of putting sensitive data in a publicly accessible directory.

      I blame our short-term memory for this epidemic. The prevalence of short-term thinking (you want how many billion bloody dollars for this unproven business model???) likely deserves some "credit" too.

  • Yay? (Score:4, Insightful)

    by Daetrin (576516) on Wednesday June 29, 2011 @01:23PM (#36613184)
    Well the one good thing we definitely seem to have gotten out of the Sony fiasco is the corporate realization that any company with a significant "social" or consumer side is much better off announcing at least some details as quickly as possible as soon as they realize they've been hacked.

    One hopes that those same corporations have _also_ learned that better security is necessary, but even if they have we're not going to see the effects of _that_ lesson for awhile.
  • Without that influx of IPO cash how can they fix these security holes???

  • It is Google's fault for hacking! Sadly, it wouldn't be the first time Google has been sued for that [theinquirer.net].
    • That's equivalent to google taking a street picture of a house with its front door open exposing valuables. Several weeks later, that house gets robbed of only the items in view. The motive and scope of the crime is a moot point. The point is that once you leave something available to the public, it's up to the owner to minimize the risk.

  • by zill (1690130) on Wednesday June 29, 2011 @01:29PM (#36613266)

    'They deserve credit for their reaction.'

    That's like saying if I quickly pull the knife out after stabbing someone, I deserve credit for my quick reaction.

    • by Aladrin (926209)

      No no, only if you tell them you stabbed them and apologize.

      Or for a car analogy, it's like slashing someone's tires, then telling them as soon as you can find them.

      The damage was done here, but nothing was (or can be) done to fix the problem.

      • Or more like, you gave the car and keys to the valet, and they left the keys in the car while they dozed at their post. Your car (or your GPS) was stolen.
    • by ArsonSmith (13997)

      only if you rush them to the hospital and explain the accident...

      Otherwise your analogy is saying they gave this access on purpose. They may have, although I personally doubt it.

    • by marnues (906739)
      We could discontinue the absurd idea that companies are a singular entity. Someone in IT should be sacked and someone in PR (or hopefully an Exec as this should be a big deal in GroupOn) has earned their bonus for the year. GroupOn as an entity though is definitely going to hurt from this.
  • Daily Deal! (Score:4, Funny)

    by Compaqt (1758360) on Wednesday June 29, 2011 @01:36PM (#36613366) Homepage

    1-day only Groupon:

    100% off on the India customer list

  • The customer database of Groupon's Indian subsidiary was published

    Does Groupon-India offer good deals or just junk like we get around here? All we have around here is suntanning offers (hello, look at my skin color?, they should filter for stuff like that) and waxing salons (uuh, no) and some restaurant over 40 miles away that probably isn't any different than the other 2000 restaurants I'd have to drive past to get there.

    My guess is Groupon-India would probably offer real popular deals like genuine grass-fed beef hamburgers and Pakistani restaurant special offers.

    • by vlm (69642)

      Whoops, I suppose I should have checked todays offers before posting.

      We have a $50 basic car detailing marked up to $210 then back down as a deal to $75 a mere 25 miles from my house in a scary neighborhood, a "detoxifying foot bath" sounds like just a step above patent medicines and faith healing, and a speed reading class 30 miles from home that normally retails for a mere $40/hour (WTF? $40/hr for a reading class?) and now is "on sale" for a mere $10/hr.

      I guess they pulled the sun tan salons when they re

  • Perhaps this gets mentioned daily when these exposures happen, but I guess I just don't understand why cleartext passwords are being stored server side anyway. I'm no security researcher, but surely one-way hash algorithms and password validation techniques have advanced to the point where exposure of the raw password data can't immediately lead to the original password being compromised? Are the authors of these large scale systems unaware or lazy, or are they actually dealing with a problem that's beyon

    • by Jaime2 (824950)
      It happens enough to require some concrete explanation other than ignorance. There could be a few possible explanations, from the customer service department demanding to know user's passwords in order to help customers more quickly, to someone in IT deciding storing clear-text password will allow a simpler shift from one back-end to another at some time in the future. Since these reduce a small amount of pain on the organization and the loss of passwords brings no pain (except to their customers), the in
  • by Anonymous Coward
    Perhaps they should've outsourced their coding to the US.
  • Outsourcing IT security to the lowest foreign bidder. What could go worng?
  • Not kidding here. If any of you slashdotters are subscribed to groupon ; you have to do this - even if you sign up again later. It's worth it. Unsubscribe completely.

    What you will see is a VERY clever "We're sorry to see you go..." screen with an awesome Easter egg embedded in there. They may have shot themselves in the foot with this. I want to unsubscribe again and again.

  • Companies have proven over and over that they will not produce secure software. They won't even make a decent attempt at it. Something needs to be done to put much more pressure on companies to put more focus on security rather than knocking out features every week or using low paid under skilled developers.
    • by bfree (113420)
      Some RIAA level figures would do the trick, so if it is $150,000 per song for allofmp3.com then surely $150,000 per user would be appropriate? So Sony and their 70 million leaked user accounts would only have cost them $10.5 trillion and Groupon would get a bill for $45 billion. Even dropping to $200 per song/user (a figure a judge came up with in an "innocent infringement" case for non-commercial music sharing) Sony would have faced a bill for $14 billion and Groupon $60 million.
      • Not a bad idea really. If one measly song can be worth so much then surely a person's identity should be worth as much if not more.
  • to never sign up for Groupon, in addition to a Sony account.

Whenever people agree with me, I always think I must be wrong. - Oscar Wilde

Working...