shakes head
inflated valuation, ipo, shady CEO, what next? I'm tellin ya, every time I see the name "Groupon" the ensuing articles just get funnier.
Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google. The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, …
for sites where you don't care about security much - this one for instance, & a lot of other news forums etc. The ones to be very careful with are the obvious - anything with the slightest connection to money/identity.
Groupon are a class act, though. A slow train wreck.
Yes there is.
1. Let's say 10,000 people use same username (gmail id) / same password for useless sites like
el reg and xnet and groupon subsidiaries. (But a totally diff one for gmail, bank, etc).
2. xnet, being a more security conscious than el reg, ups the security by asking a few personal questions in case you lose your password such as "Where was first time you had anal sex" etc.
3. groupon subsidiary loses all the passwords.
4. 10000 xnet and el reg accounts are hacked, no problem.
5. but out of those 10k lusers, 50% of them have the same security question at bank/gmail etc.
- So 5000 lusers give away access to their bank/gmail etc by losing gorupon -> xnet -> bank.
So you have different security questions everywhere? Very probable.
And those people who are just doing as they're told, they circumvent this trap by filling in garbage (as opposed to something sensible, like a password management tool, or nothing at all)? Even more probable.
Any site insisting on a security question gets something like "lbbyiyiuhjhffjfyj" as an answer. One of my biggest bugbears with Win 7 was it's insistence on entering a password hint.
If a site is important enough for me to actually worry about what happens if I've lost my password, there's a good chance I've a record of the password somewhere.
If sites are going to insist on security questions, they either need to let the user define the question or at least up their game a bit so we can't find the answer with a quick Google search.
- I am talking about 10000 people - deliberately. So there is bound to be a percentage who is
not as security conscious as some of you (who are el reg readers).
. eg: This is not going to happen to people who type "lbbyiyiuhjhffjfyj" for the security answer,
[unless they always type the same string :) ]. But what is the percentage of people who do that ?
. Are questions across sites really unique if you register to over 100 sites over a period of 5-6
years ? "What was your first telephone number " ? "What was your first pet's name" ?
. Combine this with people who have facebook walls open.
Basic reason for me to post was that someone made a suggestion that it's OK to use same password everywhere, while it is not OK for a majority of population to do so,
even though some smart people may get away with it.
And I certainly don't mean to challenge your individual intelligence here.
Just did a search myself; found an sql dump of yet another website, Full user details with passwords stored as simple MD5 hashes... (an online decryptor supplied plain-texts for every one I tried) ... This dated from 2009; What sort of admin puts such things where a search engine can find it, and leaves it there so long too!!
... and that's a good thing, because it keeps us in the UK in jobs, firefighting their appalling output. Problem solving, diligence, honesty, thoroughness, common sense and defensive programming practices are not included in the daily £5 rate of your average Indian offshore whalla. But in the minds of some (GroupOn CIO's), the math somehow stacks up very nicely.
Whoever designed (Especially the ones that call themselves "Architects") their system should immediately be let go. Even newbie web programmers know not to store clear text passwords anywhere, but instead, just store and compare against an MD5 or SHA hash of it.
> and corrected the problem immediately
OK, so they got in touch with Google did they to get them to delete it from their cache? Or did they just delete the db table? Somehow I don't believe these guys when they make these simple errors that they don't notice but someone else does and they seem to know immediately how to fix it. Wasters.