A while back we wrote about a flaw in Groupon’s email link encryption, which revealed the emails of some Groupon users when “addx” was added into a Google search of Groupon’s site. We’ve been alerted that is still happening, with about 170 emails coming up when we searched (last time around it was less than 80).
The last time around, Groupon director of engineering Shinji Kuwayama told us that the emails were made public because some subscribers had “pasted their deals into publicly-crawlable pages around the Web,” but also that it was working on a solution to exclude those results. So why these are appearing now is unclear. We’re contacting Groupon to see if there is an explanation.
To put this in one kind of perspective, the number of emails here is a very small percentage of Groupon’s overall active customer base, reported as 36.9 million users its last quarterly results in May. The company’s email subscriber list will number in the hundreds of millions.
On the other hand, not everyone wants their browsing or purchasing histories, linked to their email addresses, made public. Even with that small number, it’s bad privacy PR for Groupon, which has ambitions to go beyond the daily deal to become a wider e-commerce platform.
From what I’ve seen so far, the search results (found by entering allinurl: addxused Twitter to alert Groupon’s Andrew Mason about the issue. The email leak has also been noted on a GetSatisfaction page for Groupon.