Tuesday, November 19, 2013

My Groupon Account Got Hacked: A PSA

Almost everyone I know has a Groupon account. It's a great way to try out a new restaurant, or get discount tickets to local attractions. It's not something you might use every day, but its helpful the few times you do. Like most people I had a Groupon account. I used it maybe three times a year [though I get e-mails from them three times a day] and aside from one minor hack years ago, I had no complaints. Last week, after an evening out, K and I came back to our hotel and I flipped open my cell phone and saw yet another e-mail from Groupon. This time, the subject header: purchase confirmation, got my attention:


Gaming? Like, Nintendo? Well that didn't happen.

The credit card used was one stored on Groupon's website. The same credit card stolen a few weeks ago, when someone, with a huge fondness for Walmart, hacked some website [which I now suspect may have been Groupon] and got my credit card information. The credit card used had been canceled for weeks.

Since there was a two hour window to cancel the purchase, I did what most would do in this situation. I clicked over to Groupon's website. I tried logging in. And couldn't. I sent a "password reset" e-mail. Nothing. And then, my phone vibrated. A new message from Groupon:


What the what? I called the provided number and was greeted by a message about them being busy dancing, or skipping, or something, and how they'd be back Monday. Unable to cancel the order, I called American Express, who perhaps blame-shifting or perhaps not, told me the canceled credit card went through because the vendor [read: Groupon] overrode the "declined credit card" status.

While AmEx assured me I wouldn't be paying for someone's gaming laptop, it gave me the heebie jeebies to know someone out there had my account, my identifying information and apparently the ability to successfully use declined credit cards. So the next morning, as soon as I could, while my kiddo splashed in the pool with his dad, I sat in the hotel and called Groupon.

They couldn't find my account. You see, they link your account to your e-mail address. Once that is changed, they told me that Monday, they can't find it. The lady, sweet as a button, took my information, the order number, and assured me someone from their 'integrity department' would call me by day's end as this is a serious matter we take very seriously here.

No one called. So I sent an e-mail that evening. I got an auto e-mail about flying monkeys or something and how they would contact me ASAP, but as the days went on it became apparent their definition of ASAP differed from mine.

So I called again and was informed there was no record of my Monday call. The customer service rep was, however, able to locate the purchase and the new e-mail address which was a fabricated mishmash [though eerily still using my name] and said someone would help me by Monday, thus going on more than a week since the fraud took place. In the meantime she told me I had to call AmEx and get them to give me my old credit card information as Groupon required it to help me further. Don't worry, she said, I won't let you slip through the cracks, I will send you a follow up e-mail detailing next steps after we hang up. 

Sit down for this. Ready? No follow up e-mail came.  

Frustrated, I wrote about it on twitter: Thanks . My acct got stolen & $$ racked up Called/Emailed Nada. Dont vent on businesses via twitter but feeling truly ignored

And somehow, just like that, I got a reply on twitter. And then, outside of business hours, I got a flurry of e-mails and within a 24 hour window, my hacked account was located, deactivated and my money refunded without any call to AmEx required.

During the week of dealing with this, I learned that what happened to me is common with Groupon. So common its happening daily to hundreds of people. The thieves, knowing that Groupon is closed on the weekends, so you can't do anything about anything then, use the weekend to do the bulk of their thefts. Groupon makes it easier for them by not retaining any trace of your e-mail address once they change it and thus making finding your account almost impossible by the support team you're connected to. I'm not the only one who gets ignored by them when this happens. And I'm apparently not the only one ignored until they vented on twitter.

So why am I sharing my experience? Most certainly not to say you should cancel your Groupon account [though I am canceling mine], but as this is the second time my Groupon account has had fraud-related issues, I am sharing to warn you to not store your credit card information on their website. When you make a purchase its stored automatically but after all my research it seems clear that Groupon doesn't do enough to protect this critical information.

All this to say, aggravating lingo aside, Groupon has its benefits, just be prepared that if the something hits the fan, they just might make you feel like you took full-retail-priced crazy pills. I know almost everyone has a Groupon account, so I'm sharing my experience with the hopes that it can help prevent someone from going through what I did because truly, no half-priced pass to the zoo was worth all this.

13 comments:

Sabina said...

Wow, that is scary! ty for the eye opener. So sorry for your troubles! :(

Lawyer Loves Lunch said...

My gosh, how scary! So glad this got resolved for you. And you can bet I'll be visiting Groupon's site next.

Aisha said...

Sabina, Azmina, it was freaky--- and I will probably have to put a fraud alert thing for myself at this point, but glad that this post might help others avoid this situation which is apparently common.

Rachael said...
This comment has been removed by the author.
Aisha said...

Hi Rachael, I think the issue is now formally resolved as I have written confirmation of this. As for problems because of sharing what happened to me, I hope not, I'm not telling anyone to deactivate nor am I hopefully vilifying them here, my goal is to share my experience so others can be aware of the potential harm of storing your credit card on their site.

Rachael said...

I was going to share it on twitter but was worried it might cause a problem. Now I will share it :)

Julia Munroe Martin said...

Yikes. This is terrifying to me. Especially because another friend just had a $6500 charge to her PayPal account in a similar scheme. I don't check my online accounts closely enough and her experience and yours have made me really pay attention. Thank you (and I'm so glad it all worked out -- what a great choice to go public on Twitter!)!

Aisha said...

Rachael, thank you for checking in and asking! I'm happy to spread the word so others don't have to learn the hard way. Hope Groupon will improve security soon.

Julia, oh my gosh! this is why I dont even have a pay pal account because I'm like you and I'd be afraid I'd miss something that egregious. Not having paypal has proven frustrating at times but when I briefly had it I got so many phishing e-mails and regular e-mails I couldn't figure out which one was real and which wasn't. It's scary in an online world how many ways our identities can be taken.

JEN said...

Awful! So glad it is sorted!

Aisha said...

Thanks Jen, yes it was frustrating, not the end of the world ofcourse, but I was just surprised at the run around.

Sumeera Younis said...

Thanks! Just removed my credit cards from Groupon.

Life | Above | Zero ! said...

My Sympathies for u

iamstacey said...

Oh my gosh, what a nightmare! Something similar happened to me years ago with PayPal, so I never use them to pay for anything. I'm so glad they finally straightened it all out!

The vacation pictures are beautiful! I'm so glad you all had such a wonderful time!

Post a Comment

I love to hear from you!