A while back we wrote about a flaw in Groupon’s email link encryption, which revealed the emails of some Groupon users when “addx” was added into a Google search of Groupon’s site. We’ve been alerted that is still happening, with about 170 emails coming up when we searched (last time around it was less than 80).
When this last happened, Groupon director of engineering Shinji Kuwayama told us that the emails were made public because some subscribers had “pasted their deals into publicly-crawlable pages around the Web,” but also that it was working on a solution to exclude those results. So why these are appearing now is unclear. We’re contacting Groupon to see if there is an explanation.
To put this in one kind of perspective, the number of emails here is a very small percentage of Groupon’s overall active customer base, reported as 36.9 million users its last quarterly results in May. The company’s email subscriber list will number in the hundreds of millions.
On the other hand, not everyone wants their browsing or purchasing histories, linked to their email addresses, made public. Even with that small number, it’s bad privacy PR for Groupon, which has ambitions to go beyond the daily deal to become a wider e-commerce platform.
From what I’ve seen so far, the search results (found by entering allinurl: addx site:groupon.com in a Google search) all appear to be from deals that expired in 2011 and earlier. That might sound out of date, but our tipster, Robby Delaware, noted to us that even starting simple searches on those addresses can lead to more information about those users. Delaware has also used Twitter to alert Groupon’s Andrew Mason about the issue. The email leak has also been noted on a GetSatisfaction page for Groupon.
Also: this seems to be limited to Google searches; entering the same search string into Bing and Topsy produce no results.