nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
THREE MILLION Moonpig accounts exposed by flaw

Silver badge

Basic Good Manners

Wow. This is really the time when a reassuring notice on your web site is good PR move.

Even if you don't admit liability, it's good practice to at least acknowledge that there's been a problem and offer some reassurance that you're fixing it.

Or, like Moonpig, you can just pretend that it never happened....

17
0
Coat

Re: Basic Good Manners

Have to agree, they should have let users know - maybe send them a card or something...

28
0
Anonymous Coward

Re: Basic Good Manners

*any* company processing customer orders over the phone / internet should be forced to have a security audit once a year.

To this end, a list of companies passing / failing this test could be published and we, the great unwashed public, can then vote with our wallets as to whom we trust our identities with.....

0
0
Silver badge

Re: Basic Good Manners

Any organisation dealing with credit cards has to be PCI compliant.

Or rather, every organisation that deals with credit cards IS PCI compliant right up until they realise that someone else now has your CC number. It's a nice idea but I've never seen an audit that actually looked in close enough to spot every single possible security hole, and it only takes one.

This was a pretty stupid one though, and taking over a year to fix it is terrible.

1
0

Re: Basic Good Manners

There is a notice posted. Not on the front page, but on the Contact Us page at https://photobox-mpusa.custhelp.com/app/ask.

One might also say "It was on display in the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying “Beware of the Leopard”

3
0
Silver badge

Handily, they've an online contact form people can use to request data removal/account closure.

2
1

Contact form

Cheers: I used on online form used to request account deletion this morning.

I also redacted all the personal info I could beforehand "just in case" - though seemingly 17 months too late. Giving them 3 months would have been more than enough before blowing the whistle.

5
0
Thumb Up

Online contact form

@Phil Kingston - Would you be able to put up a link please?

2
0
Silver badge
Joke

contact form!

Please don't go substituting your customer id with another number and manually submit the form data in the hope of deleting some other customers account.

5
0

Re: Contact form (Update)

I got a very polite reply to my request agreeing to delete my account, so there is/are some folks at Moonpig who are worth their salt.

1
0
Silver badge
Facepalm

This brings back memories.....

"...meant every account and the names, birth dates, and email and street addresses could be accessed by changing the customer identification number sent in an API request."

The very first php web application I ever wrote contained exactly the same flaw.

5
0

Re: This brings back memories.....

Did you develop it for MoonPig?

7
0
Silver badge

Lipstick on a Pig!

nothig more to be said really.

1
0

The problem with Moonpig is simple. Rewriting their APIs costs money, and their business model is "undercut everybody," making their margins minimal.

The ICO should drag them over the coals backwards.

7
0
Anonymous Coward

The ICO should drag them over the coals backwards

Agreed, though I think forwards would be more effective - more delicate bits to roast.

7
0
Silver badge

Mmmmmmm, Bacon.

1
0
Silver badge
Happy

Mmmmmmm, Moon Bacon.

5
0
Silver badge

Depends

Depends on whether you go the whole hog and give them all your details or not.

(similar to people moaning about FB when they have added thier entire life story to personal info.)

2
16
Silver badge

Re: Depends

Whole Hog...I see what you did there

9
0
Facepalm

Re: Depends

@Elmer Phud - "Depends on whether you go the whole hog and give them all your details or not.

(similar to people moaning about FB when they have added thier entire life story to personal info.)"

No. It's not like moaning about Facebook at all. Facebook is a social networking site, Moonpig is an online shop that mostly sells greetings cards, often sending them directly to the intended card recipient. Moonpig should (and is required by law) to take responsible care of personal, including payment, details. If you don't want them to have any of your, or your intended card recipient's details then you're not going to be able to do any business with them in the first place.

Try getting Amazon to deliver to you if you don't give them your money or your address.

21
1

Re: Depends

"Depends on whether you go the whole hog and give them all your details or not.

(similar to people moaning about FB when they have added thier entire life story to personal info.)"

You are right, it does depend on whether you go the whole hog and give them all your details or not. Like facebook (it is possible to give Facebook enough information for your friends to identify you without giving them any real personal stuff). One major difference. See how far you get with Moonpig without entering at least a credit/debit card and address.. With Facebook you don't have to produce either.

0
0
Silver badge

Re: Depends

"See how far you get with Moonpig without entering at least a credit/debit card and address.. With Facebook you don't have to produce either."

Yet. Give them time...

6
0
Silver badge
Trollface

Stop giving them ideas !

1
0

Facebook vs Moonpig

I couldn't see where to enter my address and credit card details on Facebook so posted them as a status update.

Am I doing it right?

3
0
Gold badge
Facepalm

We're only doing what we said we would.

Why complain? It's all in our name.

Our business model is to drop our trousers and display our naked arse to the entire internet...

[cue: music] Moon Pig dot com

Our policy to ignore everything and stick our fingers in our ears going oink oink oink la la la is just a bit of extra bare-arsed cheek.

0
1
Silver badge

I'm not sure why he's making such a big thing about the API help documentation, It's fairly standard practice to make that info publicly available. Maybe he doesn't have much experience of working with APIs?

That doesn't in any way excuse the lack of OAuth, or the inclusion of the customerID in the URL though, they should be roasted for that...

1
13

Except Moonpig don't have public APIs for 3rd party developers. They've (I'm guessing accidentally) published their internal API's docs (that they've also not secured). Like leaving your front door unlocked AND putting up a sign where the valuables are to be found.

6
0
FAIL

Pretty Shoddy

Went the same route just now...there's not even a warning on the website - nor has there been anty communication with their customers?

Say what you like about the likes of eBay and Sony - at least they've been a bit timely when it;s come to data breaches...

0
0
Anonymous Coward

To get a gift from moonpig really means "I couldn't be arsed looking for a decent gift you and put zero thought into it."

2
4

Just asked them to close my account - the URL for the customer service form is https://photobox-mp.custhelp.com/app/ask

When I noticed Photobox in the URL, I checked, and found it's the same company (also paperShaker and Sticky9, who I've not heard of). Just to be on the safe side, I closed my account there as well. At least you can do that online in real time.

I've been a customer of moonpig (apparently) for 15 years, and photobox for at least 8. Their print quality was far superior to tesco as well, but I guess that will have to do now.

1
0

Photobox too

So is there any further news that Photobox is a potential issue too?

I'm hoping that there are different back ends (I'm not the most techy but I try) but you never know...

0
0
Facepalm

And there was me feeling smug about never having used MoonPig... Thanks for the heads-up.

0
0

Re: Photobox too

I haven't looking into photobox app, or whether there is a similar API problem there, so I can't really comment. You can close your photobox account without having to contact customer services though, so the platform is obviously not completely identical.

I simply closed that account because the company is clearly insufficiently motivated to protect my privacy,

2
0
Silver badge

There's a message on their contact us page:

"....We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected..."

0
0

Re: There's a message on their contact us page:

Priority would have been 17 months ago. Sorry, too late, I'm gone.

6
0
Silver badge

Re: There's a message on their contact us page:

Wasn't suggesting it wasn't too late - I've also asked to be removed - just pointing out that they've finally put something up. Albeit with no prominence - it's only when you go into their contact form page.

2
0

This post has been deleted by its author

Re: There's a message on their contact us page:

> all password and payment information is and has always been safe

Technically correct: passwords aren't exposed, and you don't get full credit card information.

However, they're being extremely dishonest by not mentioning all the other crap (ordering on others' accounts, seeing all their addresses, etc, etc).

3
0
Mushroom

Also....

Might want to have a look at Immobilise issue

https://ramblingrant.co.uk/immobilise-police-security-initiative-exposes-28-million-records/

1
0
Silver badge

Re: Also....

What the hell, what the hell, what the hell?

0
0

Relevant job posting

https://moonpig.com/uk/Jobs/security-officer/

The irony

7
0
Silver badge

Moonpig

proof that you can sell a computer and a printer to a fuckwit and they will merely use it to connect to someone else's computer and printer.

My daughters school were in the process of designing xmas cards to sent to someone else for printing and sending and taking a huge cut when I pointed out they had everything they needed to do it themselves and it would be a good excercise as part of business studies.

1
3
Joke

Never heard of moonpig...

...but I see they sell greetings cards... I wonder if they have a "I'm sorry you have been hacked" card?

4
0

Moonpig have replied to my request for information as follows:

"You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.."

1
0
Facepalm

Safe in the sense that it was nowhere near deep water or being set on fire. Not safe in the sense that anyone on the internet was being stopped from accessing it.

1
0

I pressed them about my address/birthdays lists held on their site. They just sent me the above boilerplate again. I have asked the question once again but no response as yet.

0
0
Facepalm

Look at the website

and that shit logo... and teh name! moonpig!!! Does it really look trustworthy??? It sounds like some crap thrown together with the likes of sitebuildit

https://www.google.co.uk/search?hl=en&q=sitebuildit&meta=cr%3DcountryUK|countryGB&gws_rd=ssl

1
0
Silver badge

I find it helps to have nomadic reclusive tendencies...

The last thing I want to see over any form of public or other occasion are the mewing brattish faces of someone or their wife/husband/offspring/dog/cat/house/car etc that I either don't like or don't remember plastered on a last minute greetings card from this bunch of cowboys, or that other bunch of fuckwits Funky fucking pigeon (that I assume are either part of the same company or equally as shit when it comes to security).

/end_rant

0
0
Silver badge
WTF?

Response to my request

Well basically I emailed them the following:

"Please close my account with the email address provided. You're not a safe company to deal with, especially as you were told about this issue 18 months ago. If you're looking at it now why couldn't you do it 18 months ago? Oh yeah, that's right: it'll cost money.

Delete all my information from your account please."

The response:

"Thank you for taking the time to contact us here at Moonpig.

We are sorry to hear that you would like us to close your account and understand your concerns. We have now carried out your request.

We would like to assure you that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.

As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.

If at any point you wish to reopen your account just let us know and we will be very happy to welcome you back.

Kind regards,

Nicholas"

How can they reopen my account if it's been deleted?

3
0

Re: Response to my request

@wolfetone Ask them! :-)

CC the ICO.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing