X

Apparent Groupon hole exposes customer data

At least one customer logs in and sees someone else's credit card information and address.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
Stephen Pipino was surprised to see credit card information belonging to another Stephen Pipino when he logged into his Groupon account. This is a redacted screenshot showing what he saw.
Stephen Pipino was surprised to see credit card information belonging to another Stephen Pipino when he logged into his Groupon account. This is a redacted screenshot showing what he saw. Stephen Pipino

An apparent security hole in Groupon's Web site has exposed the data of at least one customer, a Groupon customer who discovered the problem told CNET today.

When Stephen Pipino logged into the Web site to make a purchase, he saw someone else's credit card information and address displayed in his account, along with his own credit card data. The information belonged to someone with his same first and last name. Pipino verified that the address matched a business address for the other Pipino and has contacted him to let him know about the problem.

"This was an isolated incident and a case of human error which inadvertently merged two accounts by users of the same name," Groupon spokeswoman Julie Mossler told CNET. "No other Groupon customers' accounts have been compromised. We've frozen the account in question, will separate the two and take care not to repeat this error in the future. We also apologize to both customers for potentially causing any stress."

Pipino said he could see all of the someone else's "address information, the last four digits of his credit card number, the expiration date and the bank and could have used his card to make my purchase." He added, "I have logged out and back in multiple times and it's still there. This could be happening on a much greater scale."

Pipino also complained that the site appears to automatically store his credit card data without customer permission. He went back in to use a new credit card to make the purchase today and when he next checked his account he noticed that the new card was stored there. "They just store your credit card information," he said. "I've never bought something on a Web site where they stored the credit card data unless they had asked me to store it."

Pipino works as a security information technology professional specializing in identity management, so he tends to pay attention to these sorts of details.

Updated at 4:30 p.m. PT with updated Groupon comment and at 4:12 p.m. PT with initial Groupon comment.