14 DAY TRIAL // SoSasta.com, an Indian Groupon subsidiary, has accidentally published its entire customer database, which includes emails and plaintext passwords, on the Internet.
According to Risky.biz, the security breach was discovered by an Australian security consultant named Daniel Grezlak who searched on Google for SQL files with emails and passwords in it.
Grezlak maintains a website called ShouldIChangeMyPassword.com which allows people to check if their passwords were compromised by searching for their email address in databases leaked by LulzSec and other similar groups.
The security consultant was looking for more data to add to his website when stumbling over the SoSasta user database.
The SQL file called xyz.sql was hosted on the company's own website and contained the email addresses and passwords of the site's 300,000 subscribers, all of whom have been notified of the compromise.
Groupon issued a statement claiming that "SoSasta runs on its own platform and servers, and is not connected to Groupon sites in other countries."
Nevertheless, this breach raises several important questions. First of all, who is responsible for uploading a database dump to a publicly accessible website and in a directory open to Google's crawlers?
The company launched an internal investigation in order to determine the circumstances that led to this situation, but the practice is otherwise common with poorly trained webmasters.
Another question is why the passwords were stored in plain text and not as cryptographic hashes. Password hashing has been recommended since the '80s and has pretty much been the standard in web programming for the past half decade or more.
Maintaining a popular website like SoSasta.com in 2011 without employing password hashing is incredibly irresponsible and reflects poorly on the company's ability to keep data secure.
"We are thoroughly reviewing our security procedures for SoSasta and are implementing measures designed to prevent this kind of issue from recurring," Groupon said. Meanwhile, users are strongly advised to change their passwords as soon as possible on all websites where they might have used them.