Moonpig has warned customers that some of their email addresses, passwords, and account balances have been published after what it calls a “security issue”.
The company, which sells custom greeting cards, said in a message to users that attackers were not able to get any credit card information, as Moonpig does not store that data. However, the incident prompted Moonpig to reset the passwords for all of the affected users and the company said that it thinks the incident was the result of data being stolen from a third party and not directly from Moonpig.
“Late on Friday, 24 July, we became aware of a security issue whereby a number of Moonpig customer email addresses, account balance and passwords had been illegally published. As a precautionary measure, we promptly closed our Moonpig site and apps to help us investigate and contain this issue,” the company said in a statement.
“Following these investigations, we now have strong evidence that the customer email addresses and passwords we identified were taken previously from other third party websites, and not directly from Moonpig.com. This data was then used to access the account balances of some of our Moonpig.com customers.”
This is the second security issue in the last six months for Moonpig. In January a researcher found that it was possible to access any user’s payment card information through some manipulation with the Android app’s API.
“I hit my test users a few hundred times in quick succession and I was not rate limited,” researcher Paul Price, who found the problems, said at the time. “Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours – very scary indeed.”
Moonpig said that it has notified all of the users affected by the incident last week.
“We promptly contacted all our impacted customers advising them we had disabled their passwords to prevent any further access from the third party. Affected customers will now need to reset their passwords the next time they log in to the Moonpig.com site. We have also encouraged them to reset their passwords for other sites and services, particularly if they use the same combination,” the Moonpig statement says.