The email addresses and clear-text passwords of 300,000 Indian Groupon users have been leaked and indexed by Google.
According to risky.biz, the entire user database of Groupon's Indian subsidiary Sosasta.com was accidentally published. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing email address and password pairs.
Grzelak, who also created shouldichangemypassword.com, said that he was searching SQL database files that were web accessible and contained keywords like ‘password' and ‘gmail'. Groupon CEO Andrew Mason was informed and the database was removed with all Sosasta users informed of the incident.
In a statement, Groupon's said: “After being alerted to this issue by an information security expert, we corrected the problem immediately. We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.
“Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries. We are thoroughly reviewing our security procedures for Sosasta and are implementing measures designed to prevent this kind of issue from recurring. This issue does not affect data from any other country or region.
“Groupon takes security and privacy very seriously. Our users' trust is of paramount importance to us and we deeply regret this incident.”
Grzelak said: “There are thousands of these databases indexed by Google. This just happened to be by far the biggest I found."