Reused passwords behind Groupon fraud attack

Groupon says it wasn't hacked, but criminals may be using passwords stolen from other breaches

Groupon has denied it's been hacked following reports that users' accounts are being abused to buy expensive holidays.

Users of the discount site have reported hundreds of pounds missing from bank accounts, with one saying their account was used by a criminal to buy a holiday worth more than 2,400.

Advertisement - Article continues below

Groupon said it hasn't been hacked, claiming instead that the fault lies with fraudsters who have stolen login credentials.

"I can confirm there has been no security breach to our website or mobile app," a spokesperson told Mail Online. "What we are seeing however is a very small number of customers who have had their account taken over by fraudsters."

The spokesperson suggested criminals had stolen the credentials to target its users or tried those leaked from hacked websites, as people often reuse logins and passwords across services.

"Sadly this is often a result of reusing passwords on other sites, when large data breaches happen the hackers or receivers of stolen details will try those details on sites that store or hold your card details," said Mark James, IT security specialist at ESET. "If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all, if the only authentication is the CVC code of your card then it's only a 1 in 1,000 chance to get it right."

Advertisement - Article continues below
Advertisement - Article continues below

"With so much of our data being stolen these days it's imperative you keep an eye on your emails and financial statements for any suspect transactions," he added.

If reused passwords are the issue, users should carry some of the blame, noted Jonathan Sander, VP of product strategy at Lieberman Software.

"Groupon was not breached as far as we know," he said. "If Groupon users decided to do what every security expert on earth, and likely every other service the user interacts with has told them again and again not to do use the same password for many websites and services then how can the user expect anything but these terrible results?" 

While users would be wise to finally heed that advice and stop reusing passwords across sites, security experts pointed out that the Groupon fraud highlights how a breach at one company can lead to losses at another. "The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked," said Lee Munson, security researcher at

Advertisement - Article continues below

Reports on MoneySavingExpert suggested customer reports were taking as long as ten days to be addressed, with others saying there was no-one to report fraud to out of regular working hours. "As with any major online retailer, we take fraud extremely seriously and have a dedicated team to investigate customer issues as soon as they are reported," Groupon said.

If you have reused a password on Groupon, it's worth refreshing it now, and checking if your account has been compromised. If you have been a victim of such fraud, Groupon has said it will refund any money lost. You can report any concerns to Groupon's Customer Support.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020

The top 12 password-cracking techniques used by hackers

12 Jun 2020