My Groupon account was hacked

11th January 2017

One of my responsibilities within the Council is creating and sharing advice regarding online security. Like all of us though I don’t always practice what I preach and this was brought home to me last night when I received an email notifying me that I’d purchased a couple of iPhone 6’s for nearly £1000 from Groupon.

Once I’d decided that this wasn’t a strange and overly generous late Christmas present it was time to try and sort out the mess.

What seemed to have happened is that my account had been compromised, I’m unclear if this was a simple brute force of the password or something larger scale. Luckily for me I received the notification via email and could check my bank details to see what was going on. My bank was, unsurprisingly, very helpful and immediately cancelled the transactions and the card itself, luckily it was all on a Credit Card so no additional fuss. The bank also gave me the ‘standard’ advice:

Install an up to date virus scanner – Reasonable advice I guess though I’m fine with the built in stuff thanks

Change your other passwords and don’t use the same password anywhere else. Yup, that was something I needed to do.

Much like any IT professional I’m always telling people what they should do but not what I think they will do and that includes myself. What I should really do is use a password manager exclusively and unique, random passwords for all sites. What I’ve actually done is a combination of that along with using a couple of rubbish passwords for all the sites that I deem unimportant. When I say rubbish password i’m talking about the kind of useless dictionary word followed by 4 digit pin affair that wouldn’t hold up for any amount of time. I’ve since updated pretty much everything I can think of. Sorting all this out though made me think of a couple of things which it would be great if all online e-commerce sites could do:

Allow me to close an account. I know its anathema to ever let you delete anything anywhere but the option would be quite nice.

Don’t store my credit card details silently. I know you want to be like Amazon and have a super friction-less purchasing experience but, hey, you’re not Amazon.

Groupon: Really not impressed with this bunch in any way. So I’ll just list a few obvious points:

  • Provide contact details without needing to  be logged in
  • Their customer service apparently can’t see my account and would need to escalate after being provided a bank statement before they would even look into the issue
  • Take the damn stuff seriously rather than just repeating ‘I’m sorry on the phone. This kind of thing is going to happen to all companies even the best (I’m not for a moment suggestign that Groupon is the best mind you). It’s how you deal with the issues that counts
  • Maybe flag massive purchases for multiple items being sent to a different name in a different part of the country.
  • Make sure to email the primary account holder if the email address of password is being changed
  • And, as I mention above, don’t store my credit card details without my express permission.


So, what I’d say is that don’t be as lazy as me with your passwords and maybe be carefully if you think about using Groupon.