Groupon subsidiary leaks 300K logins, fixes fail, fails again

[security curmudgeon <jericho () attrition org>]

http://infosecmedia.org/groupon-subsidiary-leaks-300k-logins-fixes-fail-fails-again/

Posted by Lewis on Jun 30th, 2011
Groupon subsidiary leaks 300K logins, fixes fail, fails again

Digital discount site Groupon is well known in the USA, but operates 
through subsidiaries in other parts of the world. The company recently 
acquired Indian digital discount operator SoSasta, which operates a 
separate India-specific website under the SoSasta name. If you.re not 
familiar with the idea, you bid via the site to buy discounted items: 
mail-order underwear in St John.s, Canada, for example; or a meal at the 
Hilton Hotel in New Delhi, India.

Once a minimum quota of bids is reached, all bidders get charged at the 
discounted price. Of course, bidding via the site means that you need an 
account with the site, which means a username and password. That means the 
site needs an authentication system. And that.s where SoSasta fell down.

Earlier this week, Sydney security researcher Daniel Gzrelak - the guy I 
wrote about last week who opened the handy password-breach-checking site 
shouldicheckmypassword.com - was doing Google searches against a range of 
on-line merchants to look for potential database leakage.

[..]


_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/