Numerous Groupon users have reported that thousands of pounds have been stolen from their bank accounts after fraudsters gained illegal access to their Groupon accounts and placed extravagant, unauthorised purchases in their names. The cybercriminals allegedly used login details swiped in other data breaches to hack into individual customers' Groupon accounts and purchased a wide range of expensive items including iPhones, iPads, a PlayStation 4 and even a holiday.
According to UK consumer website MoneySavingExpert, reports from irked Groupon customers have been popping up since the beginning of December.
One Groupon customer reported that the fraudster used his account to buy a $3000 (£2426) European vacation. Another said his compromised account was used to purchase some trips and a laptop while multiple others reported that theirs were used to send Starbucks gift cards to "friends".
Many users have also voiced their frustration with the company's customer services, claiming that they were unable to get the company to immediately address their cases and fraudulent transactions.
One customer was reportedly told that he would have to wait up to 10 days before his issue was dealt with.
A Groupon spokesperson told MailOnline that while the company itself was not hacked, individual accounts of some users in the UK may have been compromised.
"I can confirm there has been no security breach to our website or mobile app," the spokesperson said. "What we are seeing, however, is a very small number of customers who have had their account taken over by fraudsters."
The spokesperson noted that scammers have various ways of obtaining user login credentials, such as trojan attacks, phishing emails, malware and spyware, to try and steal customer data, illegally break into an account and make fraudulent purchases. They added that the company takes fraud cases seriously and has a team dedicated to addressing customer issues "as soon as they are reported".
"Sadly this is often a result of reusing passwords on other sites," ESET IT security specialist Mark James told IBTimes UK. "When large data breaches happen, the hackers or receivers of stolen details will try those details on sites that store or hold your card details. If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all."
Ilia Kolochenko, CEO of security firm High-Tech Bridge, said such attacks will continue to plague users due to the common, unsafe practice of using the same password across different platforms and services.
"Once a single account is hacked, others can be easily compromised in a domino effect," Kolochenko said. "Moreover, even if users have different passwords, they frequently use similar ones, making them easily guessable or bruteforceable. This is a real El Dorado for cybercriminals, who can leverage outcomes of one major breach to get profit for months or even years."
He said large companies should have advanced anti-fraud systems to detect and inform users of any unusual activity or suspicious behaviour on their accounts.
"If fraud prevention systems are not properly implemented, consumers may have a valid reason to sue negligent retailers and claim reimbursement for their financial losses," he said.