An apparent security hole in Groupon's Web site has exposed the data of at least one customer, a Groupon customer who discovered the problem told CNET today.
When Stephen Pipino logged into the Web site to make a purchase, he saw someone else's credit card information and address displayed in his account, along with his own credit card data. The information belonged to someone with his same first and last name. Pipino verified that the address matched a business address for the other Pipino and has contacted him to let him know about the problem.
"This was an isolated incident and a case of human error which inadvertently merged two accounts by users of the same name," Groupon spokeswoman Julie Mossler told CNET. "No other Groupon customers' accounts have been compromised. We've frozen the account in question, will separate the two and take care not to repeat this error in the future. We also apologize to both customers for potentially causing any stress."
Pipino said he could see all of the someone else's "address information, the last four digits of his credit card number, the expiration date and the bank and could have used his card to make my purchase." He added, "I have logged out and back in multiple times and it's still there. This could be happening on a much greater scale."
Pipino also complained that the site appears to automatically store his credit card data without customer permission. He went back in to use a new credit card to make the purchase today and when he next checked his account he noticed that the new card was stored there. "They just store your credit card information," he said. "I've never bought something on a Web site where they stored the credit card data unless they had asked me to store it."
Pipino works as a security information technology professional specializing in identity management, so he tends to pay attention to these sorts of details.
Updated at 4:30 p.m. PT with updated Groupon comment and at 4:12 p.m. PT with initial Groupon comment.