Groupon is calling on users of their India subsidiary, Sosasta.com, to change their passwords after the company accidentally published a database containing the usernames and passwords of some 300,000 customers, according to a report from Risky.biz.
The database, including plaintext passwords and usernames, was being indexed by Google when it was discovered by Australian security consultant, Daniel Grzelak. He found it as searched for publically accessible databases of password and email address pairs to add to his latest side-project, shouldichangemypassword.com, a site that allows users to run a quick search and check if their passwords have been compromised and need to be changed.
“There are thousands of these databases indexed by Google,” Grzelak told Risky.Biz. “This just happened to be by far the biggest I found.”
Groupon released a statement saying they had been alerted of a “security issue potentially affecting subscribers of Sosasta” late last Thursday. According to the report, the database has been removed. Groupon is now in the process of notifying Sosasta customers of the incident and encouraging them to change their Sosasta passwords in addition to any shared passwords they may have had on any other service.
“Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries,” the Groupon statement reads. “This issue does not affect data from any other country or region.”
Threatpost reached out to Groupon’s press contact, Julie Mossler, but she declined to make any comment, directing me to the company’s official statement instead, which can be read in its entirety in the Risky.biz report.