Groupon is investigating the case of a Seattle man who was able to log into another user’s Groupon account by using Facebook Connect. Matt Steckler, a former web developer and current Seattle tech recruiter, said he fired up his Groupon iPhone app yesterday to check on a deal he had bought earlier in the morning. What he found was that he was logged in as someone completely different; another “Matt” from San Francisco with a different last name.
Steckler said he had used Facebook Connect to sign into his iPhone account and didn’t notice the switched accounts until he went to check on his deal. When he tried to get into his web account from his computer, he again used Facebook to log in. But after failing a couple of times because the account was using the other user’s Facebook log-in, Steckler clicked out of the log-in screen and was still able to gain access to the other person’s account. Steckler was able to use the other user’s Groupon account and even made a couple of test purchases, which he later cancelled.
We contacted Groupon and they said they were looking into the issue. It’s unclear how many other people might be affected. It’s possible that it’s only Steckler, though he doubts that. As a former web developer, he has built two apps that utilized Facebook Connect for log-ins. He suspects that at some point in the last week or so, Groupon made some sort of change to its database so when users logged-in through Facebook Connect, the system was rewriting Facebook Connect data, user ID information and tokens with incorrect values. If true, it could be that more users are also affected if their accounts were mixed up with others.
“This is a huge deal,” said Steckler. “I love Groupon but this shouldn’t happen. I shouldn’t log in and be able to access someone else’s account.”
Steckler believes the issue showed up within the last week because he doesn’t recall seeing the other user’s information when he last used his iPhone app a week ago. He believes this is not an issue with Facebook but with the way Groupon is handling the log-in information.
I and one of my colleagues haven’t been able to recreate the issue so again, this could be very isolated. But Steckler wonders if Groupon’s fast growth may have something to do with the problem, causing sloppiness in its database. This is not the first time Groupon users have noticed log-in issues: Groupon members reported log-in problems in February with a popular Barnes & Noble deal. I’ve seen other cases reported of users having a hard time logging into Groupon.
Groupon seems to be aware of the seriousness of the problem. Groupon’s vice president of engineering, David Gourley, called Steckler this afternoon to get more information on the problem. We’ll let you know if we hear more back from Groupon. It’s still unclear how big a problem this is but it’s still a bad lapse that shouldn’t occur for a company handling consumer financial information. Perhaps, a big IPO pay day can pay a new database to prevent something like this from happening again.
Related content from GigaOM Pro (subscription req’d):
- Defining Hadoop: the Players, Technologies and Challenges of 2011
- The Near-Term Evolution of Social Commerce
- A 2011 NewNet Forecast