Through some unknown turn of events, all the email addresses and passwords for users of Groupon's Indian subsidiary Sosasta.com were published online and made searchable through Google.
In what appears to have been a massive mistake, the entire user database of Groupon‘s Indian subsidiary Sosasta.com has been published online and indexed by Google, reports Risky.biz. Included in the searchable database are all the email addresses and passwords of Sosasta’s 300,000 users. Whoops…
Australian security consultant Daniel Grzelak first discovered the substantial cache of login credentials as part of his research for his newly launched personal online service ShouldIChangeMyPassword.com. The discovery was made by simply searching in Google for standard SQL database files that contained words like “gmail” and “password.”
“A few hours and tweaks later, this database came up,” Grezlak tells Risky.biz. “I started scrolling, and scrolling and I couldn’t get to the bottom of the file. Then I realised how big it actually was.”
After discovering the breach Grezlak called Risky.biz to report his findings. The website then called Groupon CEO Andrew Mason, who called them back personally soon after they reported the data leak. Groupon has since had the database removed from Google — an astounding accomplishment, as anyone who’s ever tried to get Google to do them a favor knows too well — and the daily deals company has reportedly launched an internal investigation to discover how such a thing could have happened.
Groupon has alerted its Sosasta users of the escapade and urged them to change their passwords.
According to Groupon’s official statement on the matter, “Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries,” so Groupon users in the US or anywhere outside of India probably have nothing to worry about.
Perhaps even more interesting is Grezlak’s password project, which allows users to check their email address to see if it’s included in any of the user log databases that have been published by hackers over the past year.
“There are now…1.3 million records on the site,” says Grezlak. “All the LulzSec releases are included as well as data from other high profile incidents such as the Mt. Gox Bitcoin exchange hack and the Gawker breach from a year ago.”
So if you’re wondering whether you’re possibly at risk, check your address right here.
(Pictured: Groupon CEO Andrew Mason; Image via)
