

Groupon leaks entire Indian user database - Garbage
http://risky.biz/sosasta

======
microarchitect
_We have begun notifying our subscribers and advising them to change their
Sosasta passwords as soon as possible. We will keep our Indian subscribers
fully informed as we learn more._

This is a lie. Neither I nor my brother have heard from them. Keep in mind
that this happened on Friday and it's already Tuesday here. In the meantime, I
have been spammed about deals that I don't care about through e-mail and text
messages four times.

~~~
rkalla
I suppose we also have no verification that the passwords are no longer stored
in plain text either, so changing it seems to be postponing the inevitable --
it is now a target for getting hacked again, with a delicious plain text
payload as the reward for anyone doing it.

If my doctor was leaking my medical records left and right to advertisers
around town, I would sue him... at some point leaking my online identity has
to have some sort of repercussions behind it besides me getting online and
being openly angry on the internet.

Yep, that'll do it ;)

ADDENDUM. Speak of the devil (another HN story):
[http://www.consumeraffairs.com/news04/2011/06/cloud-site-
dro...](http://www.consumeraffairs.com/news04/2011/06/cloud-site-dropbox-
drops-the-ball.html)

~~~
nickolai
> If my doctor was leaking my medical records left and right to advertisers
> around town, I would sue him... at some point leaking my online identity has
> to have some sort of repercussions behind it besides me getting online and
> being openly angry on the internet.

What would you do ? sue them? The EULA you have accepted usually forbids it,
or limits the amount of damages you can claim to a few bucks. I am not a
lawyer, but i doubt such an EULA would be declared void in court.

~~~
pavel_lishin
Somehow, I think this wouldn't be the case. Otherwise, doctors would be
throwing EULA agreements left and right, and saving millions on malpractice
insurance fees.

~~~
sunir
They do. They are called waivers. You sign them all the time when using the
health care system.

~~~
SoftwareMaven
I've never seen a complete waiver of rights. What you typically sign is an
agreement to try arbitration before (or instead of) suing in the courts. I
don't believe it is possible to waive the ability to be penalized for
negligence, just the venue the penalty is assessed in.

Of course, said arbiter is much less likely to give out a seven digit award
than a jury is.

------
mqzaidi
Here's the communication they sent. This is totally a lie - my email was in
the database, and they have been only saying an issue potentially affecting
them \-------

Hi SoSasta Subscriber,

Over this weekend, we've been alerted to a security issue potentially
affecting subscribers of Sosasta. We wanted to let you know that the issue has
been brought under control and your accounts are secure. However, as a
precautionary measure, we recommend that you change your SoSasta password
immediately, by visiting the SoSasta website (Sign-In using your existing
password, then click on Profile followed by Change Password). If you use the
same email/password combination at other websites, we recommend you change
those passwords as soon as possible, too.

Please be aware that none of your financial information (Credit Card, Debit
Card, NetBanking etc) has been compromised since this information is not
stored on SoSasta, as per law.

If you have any concerns or find any unusual changes in your SoSasta account,
please contact our Customer Support team as soon as possible at 1800 103 2111
between 9.30 a.m. and 6.30 p.m. IST, Monday to Saturday so that we can review
your account.

You should know that we are working aggressively to prevent this from
happening again. Sosasta takes security and privacy very seriously -- it's
important to us to provide you with a safe shopping experience of the highest
quality, and we will do everything possible to keep your trust. Please accept
our apology for any inconvenience or concern we've caused.

Sincerely, SoSasta Customer Support

~~~
Zakuzaa
Was your password in plaintext? Just to confirm what others have been saying.

------
franze
as we are currently groupon bashing, take a look at groupon.de (germany)
<http://www.groupon.de/deals/berlin>

scroll down ... down ... down ... there it is (gray text on black background),
the crappiest example of SEO i have seen in a long long time. keyword stuffing
is so 2004.

"Berlin ist als Hauptstadt der Bundesrepublik bekannt für seine
Sehenswürdigkeiten und das umfassende Angebot an Freizeit-Aktivitäten. ... ...
Berlin Deal ... ... Rabatten ... ... Geld zu sparen... ... Gutschein ...bla
... ... Angebote des Berlin Deals ... ... Wellness-Angeboten ... ...
Restaurantgutscheinen.... ... .Freizeiterlebnisse, Events und Dienstleistungen
in Berlin ... ... Shopping und Online Shop. ... ... Berlin Gutscheine ... ...
"

i would have guessed that a multi billion dollar company could at least hire a
decent SEO guy.

~~~
eliben
While arguably interesting, I don't see how this is related to the linked
password leak

~~~
franze
yeah, i know, but shitty SEO is not worth a separate 'submit' - also the
overall theme of this thread is 'just another poor business decision / f*ck up
by groupon' and this seems to fit the bill

------
gary4gar
I can guess, how this can happen.

\--------------------- First,Take the db dump, for backups/setting up another
server etc.

$ mysqldump -u <user> -p <password> <db name> > xyz.sql

Now, lets move db dump file to webroot, I hate SSH,FTP,RSYNC -- too
complicated for me. I like clicking hyperlinks. KISS FTW!

I guess nobody will notice that file is present here. How can they know, I
won't tell them!

$ mv xyz.sql public_html/uploaded/users

now, I can download it simply by going to

<http://www.sosasta.com/uploaded/users/xyz.sql>

See how easy this is, why complicate things unnecessarily.

\---------------------

I guess the guy wouldn't have even imagined mighty google will index this &
people from around will download the file, resulting in major security breach.

This is what you get when you act ignorant or plain lazy. poor guy...lol

~~~
TeMPOraL
> This is what you get when you act ignorant or plain lazy.

Or, in general case[1], when 'industry standard' tools are PITA to use.
Simpler solutions are always preferred, for better or worse.

[1] I'm not defending here the person that caused the SoSasta breach.

EDIT: Formatting.

------
51Cards
Ok my mouth is literally a-gape at the number of database dumps indexed by
Google. I guess I just never thought of searching for something so simple and
now I'm floored at how often this seems to happen. How does anyone possibly
allow a data dump to come anywhere near somewhere Google could index it?

~~~
oozcitak
> How does anyone possibly allow a data dump to come anywhere near somewhere
> Google could index it?

Let me just put this sql dump in the web root for a couple hours to copy over
to the test server.

~~~
bad_user
Google also has to know that the file is there, before indexing it, either
from a link available to Google, or from the website's sitemap, or by
activating directory listing in Apache, or some other shit like that.

~~~
maratd
This is very simple. If you're using Chrome Browser, ChromeOS, or Google
Toolbar, then google is using their pagerank tech ... or essentially sending
the url you type into the browser to their servers for ranking purposes. If
you can access it freely on the net, assume it is already indexed, even if
there are no links to it.

~~~
redsymbol
Is this true? Can you (or anyone) point to some kind of reference or evidence?
If valid, I'd consider this an almost dangerous breach of privacy.

~~~
maratd
As requested:

[http://en.wikipedia.org/wiki/PageRank#The_intentional_surfer...](http://en.wikipedia.org/wiki/PageRank#The_intentional_surfer_model)

> The Google toolbar sends information to Google for every page visited, and
> thereby provides a basis for computing PageRank based on the intentional
> surfer model.

For it to display a pagerank, it has to send the url to Google (otherwise, how
is it going to know what to display the rank for?). Google can then send the
crawler to that address later.

> If valid, I'd consider this an almost dangerous breach of privacy.

I don't believe they monitor who is going where. Just where people are going.
Although it would be trivial for them to monitor who is going where ...

Also, an FYI, if you are logged in to Google and you're using their search
engine, then they ARE monitoring you. Check out Google Web History.

~~~
redsymbol
Thanks for the link.

I was concerned more with content indexing of URLs that are not meant to be
public, to the point where that content could show in search results. Imagine
my editor emails me a link to a blog article for approval before publishing.
Or, as a designer, you create a draft of a web page to show to your client;
and for the convenience of said client, you prefer not to have it password
protected (nor take the time to set it up - you have enough to do!)

In both cases, imagine that someone loads the URL in their Chrome browser. If
that action resulted in the URL being added to the googlebot's itinerary, even
though no publicly visible webpage links to it, the result could be the
exposure of information that we don't want. Or for the blog post example, it
could even affect SEO by causing a duplicate content penalty.

Of course we can password protect the page, exclude the urls in robots.txt,
etc. But there is a labor cost and inconvenience to having to do that, and
there is always risk that something would slip through.

That said, what I write above is likely pure speculation; I don't know of any
evidence that Google is actually doing this, and it seems unlikely to me that
they would.

------
india
Did anyone manage to get a copy of the sql file? A password analysis of a
largely Indian audience could be pretty interesting.

~~~
pavel_lishin
I'm mostly wondering if their usernames and passwords are strictly ascii, or
if they're using another alphabet.

~~~
bdhe
Most Indian computers I've seen are standard American or British layouts.
India has a lot of English speakers [1] and most computer-savvy folk,
especially the kind that use Groupon will definitely know enough English to
use English usernames and passwords.

[1] [http://en.wikipedia.org/wiki/List_of_countries_by_English-
sp...](http://en.wikipedia.org/wiki/List_of_countries_by_English-
speaking_population)

------
skbohra123
Incidents like this make me think that if success is anything to do with
talent? Even a mediocre developer wouldn't do such mistake and these people
are acquired by Groupon. Then, I think, it's all about who you know ?

~~~
pagekalisedown
As you get older, you realize the world isn't a meritocracy. Only the young,
poor, and/or foolish will believe that.

~~~
Deestan
If you're lucky, you might also realize that being condescending is alienating
and a bad way to get your point across.

------
g123g
Sosasta means "so cheap" in Hindi. Maybe they are too cheap to spend any
effort on security of their users' data.

~~~
iqster
Sasta means cheap ... the so is English ;)

~~~
subbu
But the intended meaning is 'so cheap'.

~~~
nayanga
Sosastaa == too cheap

------
jtchang
In clear text? Really? How is this even allowed anymore?

~~~
sunchild
And indexed by Google. That is terrible.

~~~
jc123
It might have been good that it was indexed by Google so that the problem was
found quicker. Completely agree about how can cleartext be allowed. Harder to
regulate overseas, but would it be possible to have an actual law in the USA
against storing passwords and other confidential in cleartext? There are
various consumer protections such as food, cars, toys, and could similar
things be legislated for data?

~~~
Joakal
Of course. Keywords: PCI, MIPSA/HIPAA, etc.

More:
[https://secure.wikimedia.org/wikipedia/en/wiki/Information_p...](https://secure.wikimedia.org/wikipedia/en/wiki/Information_privacy)

~~~
jc123
Yes, my impression is that passwords are not treated with the same seriousness
as say credit card numbers, or health info. That (passwords) was actually what
I was curious about, before I generalized my comment.

~~~
sunchild
Passwords are one of the safeguards (perhaps the most important) that protect
personal/sensitive data.

------
nestlequ1k
Heads outta roll for this one. The dev, the supervisor, his supervisor.
Probably all the way up to VP.

It's a stupid, boneheaded mistake, but one of those that could only be made in
an environment where security is extremely lax. Easiest way to fix the
environment here is to just fire everyone involved.

------
adhipg
Continuing on that line of thought - a simple search like 'filetype:sql
phpmyadmin' also shows a lot of 'interesting' results.

------
TheOnly92
Maybe Google should start working with security firm so that once their bots
crawled on a leaked database they will notify the website owner immediately.

~~~
Zakuzaa
I think Google would rather just not index such data.

~~~
mike-cardwell
I can't think of a reason why Google would care... I certainly can't think of
a reason why Google would care enough to spend money on staff/research in
order to get that type of content out of the index.

If you don't want something indexed, don't put it on the web. And sure as hell
don't link to it.

~~~
g123g
True, if you are incompetent enough to expose your most sensitive data on the
internet yourself, why do you expect others to come to your aid. Even if
Google does not index it, what is stopping other search engines from indexing
or hackers to get access to it directly. There are lot of tools which will
automatically index all the content of a website with the click of a button.
So I think it is best to put the onus on the website collecting the user data
to protect it. If they cannot, then maybe they should just use some third
party authentication and minimize the amount of sensitive data that they need
to keep on their servers.

------
mukeshsinghr
If Companies itself ready for compromising there email id and password then
who can protect them. Hacker's just shown there mistakes done to the people.
Otherwise a small child knows well how to hide his password from the other
people.

------
evolution
anybody got that sql?

~~~
dagrz
All the data has been removed and only exists in sha1 hash form but you can
see if you were affected at <https://shouldichangemypassword.com/>

------
drivebyacct2
I am not normally in favor of legislation, but I'd be okay with a fine for US-
based companies that leak and expose this kind of data. Specifically a harsher
fine for cleartext or anything less than bcrypt.

~~~
sandGorgon
nothing is gonna happen to Groupon (or the indian subsidiary). OTOH, Dropbox
just got hit with a class action lawsuit.

------
suking
Your User Information - 100% Off!

------
PartyDawg
Sue this irresponsible company into oblivion.

