Reused passwords behind Groupon fraud attack
Groupon says it wasn't hacked, but criminals may be using passwords stolen from other breaches
Groupon has denied it's been hacked following reports that users' accounts are being abused to buy expensive holidays.
Users of the discount site have reported hundreds of pounds missing from bank accounts, with one saying their account was used by a criminal to buy a holiday worth more than 2,400.
Groupon said it hasn't been hacked, claiming instead that the fault lies with fraudsters who have stolen login credentials.
"I can confirm there has been no security breach to our website or mobile app," a spokesperson told Mail Online. "What we are seeing however is a very small number of customers who have had their account taken over by fraudsters."
The spokesperson suggested criminals had stolen the credentials to target its users or tried those leaked from hacked websites, as people often reuse logins and passwords across services.
"Sadly this is often a result of reusing passwords on other sites, when large data breaches happen the hackers or receivers of stolen details will try those details on sites that store or hold your card details," said Mark James, IT security specialist at ESET. "If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all, if the only authentication is the CVC code of your card then it's only a 1 in 1,000 chance to get it right."
"With so much of our data being stolen these days it's imperative you keep an eye on your emails and financial statements for any suspect transactions," he added.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
If reused passwords are the issue, users should carry some of the blame, noted Jonathan Sander, VP of product strategy at Lieberman Software.
"Groupon was not breached as far as we know," he said. "If Groupon users decided to do what every security expert on earth, and likely every other service the user interacts with has told them again and again not to do use the same password for many websites and services then how can the user expect anything but these terrible results?"
While users would be wise to finally heed that advice and stop reusing passwords across sites, security experts pointed out that the Groupon fraud highlights how a breach at one company can lead to losses at another. "The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked," said Lee Munson, security researcher at Comparitech.com.
Reports on MoneySavingExpert suggested customer reports were taking as long as ten days to be addressed, with others saying there was no-one to report fraud to out of regular working hours. "As with any major online retailer, we take fraud extremely seriously and have a dedicated team to investigate customer issues as soon as they are reported," Groupon said.
If you have reused a password on Groupon, it's worth refreshing it now, and checking if your account has been compromised. If you have been a victim of such fraud, Groupon has said it will refund any money lost. You can report any concerns to Groupon's Customer Support.