Daily deals website SoSasta.com, which was acquired by GroupOn, has sent e-mailers to its users, informing them about a security issue affecting users, and advising them to change their passwords and report any unusual activity to the customer support team. This was reported by Mahesh Murthy via a tweet on Twitter. He also posted a screen shot of the e-mail communication, that he received as a registered user.
Although the communication mentioned that the issue had been resolved and accounts were safe, it recommended that users also change passwords at other websites, in case they were using the same Username-Password combination. The second statement suggests that the site’s password database may have been compromised. However, the e-mail also assures users that financial information such as Credit Card and Debit Card details have not been compromised, since they are not stored on SoSasta’s servers and are routed through CCAvenue (which was also reportedly hacked recently).
Database Leak; Internal Security Issue
Later, Patrick Gray, who runs a web security site Risky.biz tweeted a link to a post on his site, according to which, Australian security consultant Daniel Grzelak, while searching for publicly accessible databases containing e-mail address and password pairs on Google, encountered SoSasta’s database, containing e-mail addresses and clear-text passwords of 300,000 users. According to the post, Grzelak contacted GroupOn through Risky.biz and informed about the database, after which corrective measures were taken and users were alerted. MediaNama is in no position to verify Gray’s claims.
SoSasta has also issued a statement to MediaNama, in which it informs that on Friday morning India time (Thursday night Central US time), Groupon was alerted to a security issue potentially affecting subscribers of SoSasta, by an information security expert, following which the problem has been rectified, and advisories issued to subscribers. It will keep users informed as it gets to know more. It categorically mentions that Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries, and the issue does not affect data from any other country or region.
Protecting User Data; Why Use E-Mail I.Ds As Usernames?
Although, SoSasta does not ask for the user’s home address, and even mobile number is optional, it does rely on his/her e-mail i.d.
– Typically, an internet user logs on to most online services, using a single e-mail i.d and password. This includes social networking sites, which contain a lot of personal information including photographs, phone numbers and employment details. This makes the e-mail address and a common password the single master key to all user data. Should convenience outweigh user privacy? We feel, it should not, and user names should not be e-mail addresses.
– This case in particular, is more related to the site’s callousness in protecting user data, since there was no external attack. The onus is on the website to ensure that passwords are not stored in plain text and encrypted using the highest security standards. And we wonder why GroupOn did not upgrade the server infrastructure, in line with their international operations.
Media Statement: Sosasta Security Issue
On Friday morning India time (Thursday night Central US time), Groupon was alerted to a security issue potentially affecting subscribers of Sosasta, a website acquired by Groupon in January 2011.
After being alerted to this issue by an information security expert, we corrected the problem immediately. We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.
Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries.
We are thoroughly reviewing our security procedures for Sosasta and are implementing measures designed to prevent this kind of issue from recurring.
This issue does not affect data from any other country or region.
Groupon takes security and privacy very seriously. Our users’ trust is of paramount importance to us and we deeply regret this incident.