A number of Groupon users have seen hundreds of pounds stolen, as hackers snap up expensive goods using their accounts. The first sign of unapproved activity popped up earlier this month, with Groupon account holders receiving confirmation emails for products they hadn’t purchased. IT security experts from Varonis, Alert Logic, NSFOCUS, Comparitech.com, Lieberman Software and ESET commented below.
“Today’s news is the result of billions of compromised user accounts from other breaches now being used to gain legitimate access to Groupon user accounts in order to make high-ticket purchases just in time for the holidays. If hackers can co-opt a consumer’s credentials for Groupon, then data security professionals need to be asking themselves if those same passwords can be used to access their organisation’s data.
“Barely a day goes by without us entering at least one password or pin to prove we are who we are before accessing information or resources. Yet, passwords are also one of the things we consistently get wrong because we make them short, common and the same across our various applications. If consumers are simplifying their password authentication practices across their personal applications, then it stands to reason that they may be doing this with their employee access credentials. A perimeter defence doesn’t matter anymore if someone has the keys to the front door who intends to do the individual user account or the organisation harm.
“Consumers need to take pro-active steps to ensure their own data privacy by first practicing good password hygiene. Troy Hunt, renowned security expert and author of the free data breach service, “Have I been pwned?,” gives the everyday online consumer helpful tips for creating strong and effective passwords in this free online training sponsored by Varonis Systems, Inc.: “Internet Security Basics, 5 Lessons for Protecting Yourself Online.” He suggests that strong passwords need to be at least 8 characters in length of random lower and upper case letters, numbers and non-numeric punctuation. Your dog’s name plus the year is not a random password. Instead a passphrase should be used to create length and randomness. For example, “What’s Roger got for dinner?” can be manipulated with letter substitution and shortened into an acronym. Finally and most importantly to the Groupon example is that a strong password is unique and only used for one application.”
Paul Fletcher, Cyber Security Evangelist at Alert Logic:
“This is the type of secondary impact that can result from security breaches that include personal identifiable information (PII) and specifically, username, passwords and security question information. It’s extremely important to have good “password” hygiene to lessen the impact of breaches on one system from effective another system. Part of good “password hygiene” is to NOT use the same password on multiple websites, rotate (change) passwords on a recurring basis and use different security questions on different systems and, when possible, use two factor authentication.”
“With the massive data breaches announced last week by Yahoo! – remember it was 1 billion accounts – it has never been more important to use different passwords on every site and use 2FA (2 factor authentication) where possible.
Using the same username and password on every site should not be happening anymore. We need to change user apathy towards passwords and maybe also get website owners to be more proactive in supporting their customers by checking their user databases against the lists of breached accounts”
“The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked.
“The fact that Groupon account holders have seen accounts compromised, and money lost, also says much about the practice of reusing email addresses and, especially, passwords across many different websites.
“Users need to be aware of the risks of recycling login credentials – which means one breach can undermine ALL their accounts – as well as be informed specifically about this incident so they can at least change their Groupon password right away.
“As for Groupon itself, even though it hasn’t been breached, it appears it could still learn a lesson or two about incident response so that its customers can retain the belief that the company has their best interests and security at heart.”
“What we’re seeing with the Groupon security complaints is the triumph of social media noise over common sense. Groupon was not breached – as far as we know. If Groupon users decided to do what every security expert on earth, and likely every other service the user interacts with has told them again and again NOT to do – use the same password for many websites and services – then how can the user expect anything but these terrible results? Does this mean Groupon has awesome security? No. The point is this isn’t about Groupon’s security in any way. This problem comes from users’ not making good choices even when they know the potential consequences. The reason so many security professionals feel like their advice is like “eat right and exercise” is because, just like health advice, people only seem to follow security advice after something terrible shows them bad things can happen to them, too.”
“Sadly this is often a result of reusing passwords on other sites, when large data breaches happen the hackers or receivers of stolen details will try those details on sites that store or hold your card details. If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all, if the only authentication is the CVC code of your card then it’s only a 1 in 1000 chance to get it right. With so much of our data being stolen these days it’s imperative you keep an eye on your emails and financial statements for any suspect transactions. Be vigilant and try where possible to contact both your bank and the retailer as soon as possible with any discrepancies, keep all correspondence and review your passwords for any sites that can potentially store your credit card information. A password manager can help you use unique complex passwords and 2 factor authentication, if available, will stop others from using your login details.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.