Reused passwords behind Groupon fraud attack

Groupon says it wasn't hacked, but criminals may be using passwords stolen from other breaches

Groupon has denied it's been hacked following reports that users' accounts are being abused to buy expensive holidays.

Users of the discount site have reported hundreds of pounds missing from bank accounts, with one saying their account was used by a criminal to buy a holiday worth more than 2,400.

Groupon said it hasn't been hacked, claiming instead that the fault lies with fraudsters who have stolen login credentials.

"I can confirm there has been no security breach to our website or mobile app," a spokesperson told Mail Online. "What we are seeing however is a very small number of customers who have had their account taken over by fraudsters."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The spokesperson suggested criminals had stolen the credentials to target its users or tried those leaked from hacked websites, as people often reuse logins and passwords across services.

"Sadly this is often a result of reusing passwords on other sites, when large data breaches happen the hackers or receivers of stolen details will try those details on sites that store or hold your card details," said Mark James, IT security specialist at ESET. "If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all, if the only authentication is the CVC code of your card then it's only a 1 in 1,000 chance to get it right."

"With so much of our data being stolen these days it's imperative you keep an eye on your emails and financial statements for any suspect transactions," he added.

If reused passwords are the issue, users should carry some of the blame, noted Jonathan Sander, VP of product strategy at Lieberman Software.

"Groupon was not breached as far as we know," he said. "If Groupon users decided to do what every security expert on earth, and likely every other service the user interacts with has told them again and again not to do use the same password for many websites and services then how can the user expect anything but these terrible results?" 

While users would be wise to finally heed that advice and stop reusing passwords across sites, security experts pointed out that the Groupon fraud highlights how a breach at one company can lead to losses at another. "The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked," said Lee Munson, security researcher at Comparitech.com.

Advertisement - Article continues below

Reports on MoneySavingExpert suggested customer reports were taking as long as ten days to be addressed, with others saying there was no-one to report fraud to out of regular working hours. "As with any major online retailer, we take fraud extremely seriously and have a dedicated team to investigate customer issues as soon as they are reported," Groupon said.

If you have reused a password on Groupon, it's worth refreshing it now, and checking if your account has been compromised. If you have been a victim of such fraud, Groupon has said it will refund any money lost. You can report any concerns to Groupon's Customer Support.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/cloud-computing/354767/google-cloud-snaps-up-multi-cloud-analytics-platform-for-26bn
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/cyber-attacks/354747/apple-mac-malware-detections-overtake-windows-for-the-first-time
cyber attacks

Apple Mac malware detections overtake Windows for the first time

11 Feb 2020