The user database of Groupon’s Indian subsidiary, SoSasta, was published on the Internet and indexed by Google, according to an Australian security consultant.
“I found the data via Google. Sosasta was notified ASAP,” said Daniel Grzelak in a message on Twitter on Tuesday. He said he had no clue as to how the database was published on the Internet.
Grzelak contacted Risky.Biz, a security news and podcast website presented by Patrick Gray in Australia, after the SoSasta discovery to seek advice on disclosure. The website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact, Gray said in a report on the website.
SoSasta was acquired by Groupon in January this year, but continues to use the original brand on its group-buying deals website.
Groupon said in an e-mailed statement that it had been alerted about a security issue that could potentially affect subscribers of SoSasta by “an information security expert,” but did not respond to questions asking for details of the issue and what caused it.
It said that it was alerted on Friday morning India time about the security issue and corrected the problem immediately.
SoSasta runs on its own platform and servers and is not connected to Groupon sites in other countries, Groupon said. This issue does not affect data from any other country or region, it added.
In a note to customers that was also put up on the company’s Facebook account, SoSasta’s customer support said it had been alerted to a security issue that had been brought under control and the accounts were now secure. It, however, advised customers to change their passwords on SoSasta immediately as a precautionary measure, as well as similar e-mail and password combinations if used on other websites.
SoSasta said that customers’ financial information, such as credit card and debit card information, had not been compromised, as that is not stored on SoSasta’s servers by law.
Grzelak runs a website, called ShouldIChangeMyPassword.com, which was set up to help people check if their passwords may have been compromised and need to be changed. The free service claims it uses a number of databases that have been released by hackers to the public.
Grzelak told Risky.Biz that thousands of these kind of databases are indexed by Google. “This just happened to be by far the biggest I found,” he added.
John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John’s e-mail address is john_ribeiro@idg.com