Skip to main content
  1. Home
  2. Computing
  3. News

Groupon’s entire Indian user database published online

By
andrew_mason_groupon-sosasta
Image used with permission by copyright holder

In what appears to have been a massive mistake, the entire user database of Groupon‘s Indian subsidiary Sosasta.com has been published online and indexed by Google, reports Risky.biz. Included in the searchable database are all the email addresses and passwords of Sosasta’s 300,000 users. Whoops…

Australian security consultant Daniel Grzelak first discovered the substantial cache of login credentials as part of his research for his newly launched personal online service ShouldIChangeMyPassword.com. The discovery was made by simply searching in Google for standard SQL database files that contained words like “gmail” and “password.”

“A few hours and tweaks later, this database came up,” Grezlak tells Risky.biz. “I started scrolling, and scrolling and I couldn’t get to the bottom of the file. Then I realised how big it actually was.”

After discovering the breach Grezlak called Risky.biz to report his findings. The website then called Groupon CEO Andrew Mason, who called them back personally soon after they reported the data leak. Groupon has since had the database removed from Google — an astounding accomplishment, as anyone who’s ever tried to get Google to do them a favor knows too well — and the daily deals company has reportedly launched an internal investigation to discover how such a thing could have happened.

Groupon has alerted its Sosasta users of the escapade and urged them to change their passwords.

According to Groupon’s official statement on the matter, “Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries,” so Groupon users in the US or anywhere outside of India probably have nothing to worry about.

Perhaps even more interesting is Grezlak’s password project, which allows users to check their email address to see if it’s included in any of the user log databases that have been published by hackers over the past year.

“There are now…1.3 million records on the site,” says Grezlak. “All the LulzSec releases are included as well as data from other high profile incidents such as the Mt. Gox Bitcoin exchange hack and the Gawker breach from a year ago.”

So if you’re wondering whether you’re possibly at risk, check your address right here.

(Pictured: Groupon CEO Andrew Mason; Image via)

Topics
Andrew Couts
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more