One user has claimed their account was used to purchase a £2,400 European holiday
Thousands of pounds have been stolen from the bank accounts of Groupon users after fraudsters used login credentials leaked in previous data breaches.
Groupon is adamant that it hasn’t been hacked, but instead claims its users are victims of password reuse where usernames and passwords were the same as those already stolen from other cyber attacks.
Criminals have carried out unauthorised purchases on expensive items such as iPhones, iPads and PlayStations, with one user claiming their account was used to purchase a £2,400 European holiday.
Groupon played down the severity of the issue, saying: “There has been no security breach or ‘hack’. What we are seeing however is a very small number of customers who have had their account taken over by fraudsters. Nothing out of the ordinary for an e-commerce site. Typically, we see this kind of activity when customers use the same password across multiple online sites. When one of the other sites is compromised, fraudsters attempt to use those credentials in other places.”
Consumer site MoneySavingExpert.com has urged Groupon users to check their accounts for any fraudulent transactions, reporting that signs of unusual actvities have been appearing since the beginning of December.
Wieland Alge, VP & GM EMEA at Barracuda Networks commented: “The Groupon breach adds to 2017’s long list of cyber attacks. Even though, in this instance, the hackers used login details retrieved elsewhere, it demonstrates that another organisation can be impacted by a seemingly separate crime.
“Unfortunately, some organisations still think they have time to wait until they become a target or they believe they can weather the storm. Organisations need to be prepared. Whoever does not wear a raincoat AND have an umbrella to hand these days will get wet.”
Password reuse is becoming an ever-bigger issue as businesses continue to be hit by data breaches. Food delivery company Deliveroo and mobile network O2 both claimed that hacked accounts were as result of previously-compomised credentials, making poor passwords one of the biggest security risks for businesses.