Groupon users have fallen victim to fraudsters placing orders in their name

Reports have started to surface about Groupon users falling victim to fraudsters placing high value orders in their name.Please see below for commentary from several cybersecurity experts.

Rob Sobers, director at Varonis:

“Today’s news is the result of billions of compromised user accounts from other breaches now being used to gain legitimate access to Groupon user accounts in order to make high-ticket purchases just in time for the holidays. If hackers can co-opt a consumer’s credentials for Groupon, then data security professionals need to be asking themselves if those same passwords can be used to access their organisation’s data.

“Barely a day goes by without us entering at least one password or pin to prove we are who we are before accessing information or resources. Yet, passwords are also one of the things we consistently get wrong because we make them short, common and the same across our various applications. If consumers are simplifying their password authentication practices across their personal applications, then it stands to reason that they may be doing this with their employee access credentials.  A perimeter defence doesn’t matter anymore if someone has the keys to the front door who intends to do the individual user account or the organisation harm.

“Consumers need to take pro-active steps to ensure their own data privacy by first practicing good password hygiene. Troy Hunt, renowned security expert and author of the free data breach service, “Have I been pwned?,” gives the everyday online consumer helpful tips for creating strong and effective passwords in this free online training sponsored by Varonis Systems, Inc.: “Internet Security Basics, 5 Lessons for Protecting Yourself Online.” He suggests that strong passwords need to be at least 8 characters in length of random lower and upper case letters, numbers and non-numeric punctuation. Your dog’s name plus the year is not a random password. Instead a passphrase should be used to create length and randomness. For example, “What’s Roger got for dinner?” can be manipulated with letter substitution and shortened into an acronym. Finally and most importantly to the Groupon example is that a strong password is unique and only used for one application.”

Paul Fletcher, cyber security evangelist at Alert Logic:

“This is the type of secondary impact that can result from security breaches that include personal identifiable information (PII) and specifically, username, passwords and security question information.  It’s extremely important to have good “password” hygiene to lessen the impact of breaches on one system from effective another system.  Part of good “password hygiene” is to NOT use the same password on multiple websites, rotate (change) passwords on a recurring basis and use different security questions on different systems and, when possible, use two factor authentication.”

Richard Meeus, VP technology EMEA at NSFOCUS:

“With the massive data breaches announced last week by Yahoo! – remember it was 1 billion accounts – it has never been more important to use different passwords on every site and use 2FA (2 factor authentication) where possible. 

Using the same username and password on every site should not be happening anymore. We need to change user apathy towards passwords and maybe also get website owners to be more proactive in supporting their customers by checking their user databases against the lists of breached accounts”

Lee Munson, security researcher at

“The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked.

“The fact that Groupon account holders have seen accounts compromised, and money lost, also says much about the practice of reusing email addresses and, especially, passwords across many different websites.

“Users need to be aware of the risks of recycling login credentials – which means one breach can undermine ALL their accounts – as well as be informed specifically about this incident so they can at least change their Groupon password right away.

“As for Groupon itself, even though it hasn’t been breached, it appears it could still learn a lesson or two about incident response so that its customers can retain the belief that the company has their best interests and security at heart.”