Groupon's Indian subsidiary, SoSasta.com, has inadvertently published 300,000 email addresses and passwords from its subscriber database. Automatically indexed by Google's (NASDAQ: GOOG) search engine, the mistake was discovered by Daniel Grzelak, founder of the security website shouldichangemypassword.com. Grzelak says he found the bonanza of data while running Google searches for publicly available databases of email addresses and passwords. 

While this incident confirms once again the fallacy of reusing passwords across different sites, it also shows that not all online services encrypt the passwords in their databases--an extraordinarily simple task. While SoSasta was quick to fix the problem, the site was criticized for sending an email asking users to reset their passwords. As observed by security expert Paul Ducklin of Sophos, the right way to go about it would be via a forced password reset with email re-confirmation. Ducklin also noted other security inadequacies that include the lack of HTTPS or other protective measures when users update their profiles. Furthermore, poor passwords can be chosen without any warning.

The takeaway here is that we should never assume a site has good security just because it's successful. Companies need to incorporate security reviews and independent tests as part of top-down directives, or risk losing the trust of their customers in the event of a breach.

For more:
- check out this article at AFP
- check out this article at PCWorld
- check out this article at Naked Security

Related Articles:
Dropbox password debacle underscores importance of data encryption
Are you still using the same password for everything?
Citigroup breached by simply altering URL; now admits 360k accounts hacked