Freely subscribe to our NEWSLETTER

Rob Sobers, director at Varonis:

"Today’s news is the result of billions of compromised user accounts from other
breaches now being used to gain legitimate access to Groupon user accounts in order
to make high-ticket purchases just in time for the holidays. If hackers can co-opt a
consumer’s credentials for Groupon, then data security professionals need to be
asking themselves if those same passwords can be used to access their
organisation’s data.

"Barely a day goes by without us entering at least one password or pin to prove we
are who we are before accessing information or resources. Yet, passwords are also
one of the things we consistently get wrong because we make them short, common and
the same across our various applications. If consumers are simplifying their
password authentication practices across their personal applications, then it stands
to reason that they may be doing this with their employee access credentials. A
perimeter defence doesn’t matter anymore if someone has the keys to the front door
who intends to do the individual user account or the organisation harm.

"Consumers need to take pro-active steps to ensure their own data privacy by first
practicing good password hygiene. Troy Hunt, renowned security expert and author of
the free data breach service, “Have I been pwned?,” gives the everyday online
consumer helpful tips for creating strong and effective passwords in this free
online training sponsored by Varonis Systems, Inc.: “Internet Security Basics, 5
Lessons for Protecting Yourself Online.” He suggests that strong passwords need to
be at least 8 characters in length of random lower and upper case letters, numbers
and non-numeric punctuation. Your dog’s name plus the year is not a random
password. Instead a passphrase should be used to create length and randomness. For
example, “What’s Roger got for dinner?” can be manipulated with letter
substitution and shortened into an acronym. Finally and most importantly to the
Groupon example is that a strong password is unique and only used for one
application."

Paul Fletcher, cyber security evangelist at Alert Logic:

"This is the type of secondary impact that can result from security breaches that
include personal identifiable information (PII) and specifically, username,
passwords and security question information. It’s extremely important to have
good “password” hygiene to lessen the impact of breaches on one system from
effective another system. Part of good “password hygiene” is to NOT use the
same password on multiple websites, rotate (change) passwords on a recurring basis
and use different security questions on different systems and, when possible, use
two factor authentication."

Lee Munson, security researcher at Comparitech.com:

"The issues experienced by Groupon customers show how a data breach can have
far-reaching consequences that affect more than just the company that was initially
attacked.

"The fact that Groupon account holders have seen accounts compromised, and money
lost, also says much about the practice of reusing email addresses and, especially,
passwords across many different websites.

"Users need to be aware of the risks of recycling login credentials - which means
one breach can undermine ALL their accounts – as well as be informed specifically
about this incident so they can at least change their Groupon password right away.

"As for Groupon itself, even though it hasn’t been breached, it appears it could
still learn a lesson or two about incident response so that its customers can retain
the belief that the company has their best interests and security at heart."