Reused passwords behind Groupon fraud attack

Groupon says it wasn't hacked, but criminals may be using passwords stolen from other breaches

Groupon has denied it's been hacked following reports that users' accounts are being abused to buy expensive holidays.

Users of the discount site have reported hundreds of pounds missing from bank accounts, with one saying their account was used by a criminal to buy a holiday worth more than 2,400.

Groupon said it hasn't been hacked, claiming instead that the fault lies with fraudsters who have stolen login credentials.

"I can confirm there has been no security breach to our website or mobile app," a spokesperson told Mail Online. "What we are seeing however is a very small number of customers who have had their account taken over by fraudsters."

The spokesperson suggested criminals had stolen the credentials to target its users or tried those leaked from hacked websites, as people often reuse logins and passwords across services.

"Sadly this is often a result of reusing passwords on other sites, when large data breaches happen the hackers or receivers of stolen details will try those details on sites that store or hold your card details," said Mark James, IT security specialist at ESET. "If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all, if the only authentication is the CVC code of your card then it's only a 1 in 1,000 chance to get it right."

"With so much of our data being stolen these days it's imperative you keep an eye on your emails and financial statements for any suspect transactions," he added.

If reused passwords are the issue, users should carry some of the blame, noted Jonathan Sander, VP of product strategy at Lieberman Software.

"Groupon was not breached as far as we know," he said. "If Groupon users decided to do what every security expert on earth, and likely every other service the user interacts with has told them again and again not to do use the same password for many websites and services then how can the user expect anything but these terrible results?" 

While users would be wise to finally heed that advice and stop reusing passwords across sites, security experts pointed out that the Groupon fraud highlights how a breach at one company can lead to losses at another. "The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked," said Lee Munson, security researcher at Comparitech.com.

Reports on MoneySavingExpert suggested customer reports were taking as long as ten days to be addressed, with others saying there was no-one to report fraud to out of regular working hours. "As with any major online retailer, we take fraud extremely seriously and have a dedicated team to investigate customer issues as soon as they are reported," Groupon said.

If you have reused a password on Groupon, it's worth refreshing it now, and checking if your account has been compromised. If you have been a victim of such fraud, Groupon has said it will refund any money lost. You can report any concerns to Groupon's Customer Support.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

What is e-safety?
e safety

What is e-safety?

27 Jan 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021