back to article THREE MILLION Moonpig accounts exposed by flaw

Custom mugs and tat outfit Moonpig has a signficant flaw that exposes personal records and partial credit card details for some three million customers, almost 18 months after it was reported. The failure, discovered and privately reported by developer Paul Price, meant every account and the names, birth dates, and email and …

  1. Barry Rueger

    Basic Good Manners

    Wow. This is really the time when a reassuring notice on your web site is good PR move.

    Even if you don't admit liability, it's good practice to at least acknowledge that there's been a problem and offer some reassurance that you're fixing it.

    Or, like Moonpig, you can just pretend that it never happened....

    1. Slacker@work
      Coat

      Re: Basic Good Manners

      Have to agree, they should have let users know - maybe send them a card or something...

      1. Anonymous Coward
        Anonymous Coward

        Re: Basic Good Manners

        *any* company processing customer orders over the phone / internet should be forced to have a security audit once a year.

        To this end, a list of companies passing / failing this test could be published and we, the great unwashed public, can then vote with our wallets as to whom we trust our identities with.....

        1. phuzz Silver badge

          Re: Basic Good Manners

          Any organisation dealing with credit cards has to be PCI compliant.

          Or rather, every organisation that deals with credit cards IS PCI compliant right up until they realise that someone else now has your CC number. It's a nice idea but I've never seen an audit that actually looked in close enough to spot every single possible security hole, and it only takes one.

          This was a pretty stupid one though, and taking over a year to fix it is terrible.

    2. garetht t

      Re: Basic Good Manners

      There is a notice posted. Not on the front page, but on the Contact Us page at https://photobox-mpusa.custhelp.com/app/ask.

      One might also say "It was on display in the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying “Beware of the Leopard”

  2. Phil Kingston

    Handily, they've an online contact form people can use to request data removal/account closure.

    1. Whitter

      Contact form

      Cheers: I used on online form used to request account deletion this morning.

      I also redacted all the personal info I could beforehand "just in case" - though seemingly 17 months too late. Giving them 3 months would have been more than enough before blowing the whistle.

      1. Whitter

        Re: Contact form (Update)

        I got a very polite reply to my request agreeing to delete my account, so there is/are some folks at Moonpig who are worth their salt.

    2. Don Dumb
      Thumb Up

      Online contact form

      @Phil Kingston - Would you be able to put up a link please?

    3. adnim
      Joke

      contact form!

      Please don't go substituting your customer id with another number and manually submit the form data in the hope of deleting some other customers account.

  3. adnim
    Facepalm

    This brings back memories.....

    "...meant every account and the names, birth dates, and email and street addresses could be accessed by changing the customer identification number sent in an API request."

    The very first php web application I ever wrote contained exactly the same flaw.

    1. FrJackHackett

      Re: This brings back memories.....

      Did you develop it for MoonPig?

  4. Steve Davies 3 Silver badge

    Lipstick on a Pig!

    nothig more to be said really.

  5. DanMcIntyre

    The problem with Moonpig is simple. Rewriting their APIs costs money, and their business model is "undercut everybody," making their margins minimal.

    The ICO should drag them over the coals backwards.

    1. Anonymous Coward
      Anonymous Coward

      The ICO should drag them over the coals backwards

      Agreed, though I think forwards would be more effective - more delicate bits to roast.

      1. wolfetone Silver badge

        Mmmmmmm, Bacon.

        1. Zog_but_not_the_first
          Happy

          Mmmmmmm, Moon Bacon.

  6. Elmer Phud

    Depends

    Depends on whether you go the whole hog and give them all your details or not.

    (similar to people moaning about FB when they have added thier entire life story to personal info.)

    1. Martin-73 Silver badge

      Re: Depends

      Whole Hog...I see what you did there

    2. Don Dumb
      Facepalm

      Re: Depends

      @Elmer Phud - "Depends on whether you go the whole hog and give them all your details or not.

      (similar to people moaning about FB when they have added thier entire life story to personal info.)"

      No. It's not like moaning about Facebook at all. Facebook is a social networking site, Moonpig is an online shop that mostly sells greetings cards, often sending them directly to the intended card recipient. Moonpig should (and is required by law) to take responsible care of personal, including payment, details. If you don't want them to have any of your, or your intended card recipient's details then you're not going to be able to do any business with them in the first place.

      Try getting Amazon to deliver to you if you don't give them your money or your address.

    3. Stuart Castle Silver badge

      Re: Depends

      "Depends on whether you go the whole hog and give them all your details or not.

      (similar to people moaning about FB when they have added thier entire life story to personal info.)"

      You are right, it does depend on whether you go the whole hog and give them all your details or not. Like facebook (it is possible to give Facebook enough information for your friends to identify you without giving them any real personal stuff). One major difference. See how far you get with Moonpig without entering at least a credit/debit card and address.. With Facebook you don't have to produce either.

      1. Anonymous Coward
        Anonymous Coward

        Re: Depends

        "See how far you get with Moonpig without entering at least a credit/debit card and address.. With Facebook you don't have to produce either."

        Yet. Give them time...

        1. Pascal Monett Silver badge
          Trollface

          Stop giving them ideas !

          1. theblackhand

            Facebook vs Moonpig

            I couldn't see where to enter my address and credit card details on Facebook so posted them as a status update.

            Am I doing it right?

  7. I ain't Spartacus Gold badge
    Facepalm

    We're only doing what we said we would.

    Why complain? It's all in our name.

    Our business model is to drop our trousers and display our naked arse to the entire internet...

    [cue: music] Moon Pig dot com

    Our policy to ignore everything and stick our fingers in our ears going oink oink oink la la la is just a bit of extra bare-arsed cheek.

  8. Alister

    I'm not sure why he's making such a big thing about the API help documentation, It's fairly standard practice to make that info publicly available. Maybe he doesn't have much experience of working with APIs?

    That doesn't in any way excuse the lack of OAuth, or the inclusion of the customerID in the URL though, they should be roasted for that...

    1. Andy Nugent

      Except Moonpig don't have public APIs for 3rd party developers. They've (I'm guessing accidentally) published their internal API's docs (that they've also not secured). Like leaving your front door unlocked AND putting up a sign where the valuables are to be found.

  9. Obitim
    FAIL

    Pretty Shoddy

    Went the same route just now...there's not even a warning on the website - nor has there been anty communication with their customers?

    Say what you like about the likes of eBay and Sony - at least they've been a bit timely when it;s come to data breaches...

  10. Anonymous Coward
    Anonymous Coward

    To get a gift from moonpig really means "I couldn't be arsed looking for a decent gift you and put zero thought into it."

  11. Tom Sparrow

    Just asked them to close my account - the URL for the customer service form is https://photobox-mp.custhelp.com/app/ask

    When I noticed Photobox in the URL, I checked, and found it's the same company (also paperShaker and Sticky9, who I've not heard of). Just to be on the safe side, I closed my account there as well. At least you can do that online in real time.

    I've been a customer of moonpig (apparently) for 15 years, and photobox for at least 8. Their print quality was far superior to tesco as well, but I guess that will have to do now.

    1. Obitim

      Photobox too

      So is there any further news that Photobox is a potential issue too?

      I'm hoping that there are different back ends (I'm not the most techy but I try) but you never know...

      1. Tom Sparrow

        Re: Photobox too

        I haven't looking into photobox app, or whether there is a similar API problem there, so I can't really comment. You can close your photobox account without having to contact customer services though, so the platform is obviously not completely identical.

        I simply closed that account because the company is clearly insufficiently motivated to protect my privacy,

    2. Just Enough
      Facepalm

      And there was me feeling smug about never having used MoonPig... Thanks for the heads-up.

  12. TonyJ

    There's a message on their contact us page:

    "....We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected..."

    1. Tom Sparrow

      Re: There's a message on their contact us page:

      Priority would have been 17 months ago. Sorry, too late, I'm gone.

      1. TonyJ

        Re: There's a message on their contact us page:

        Wasn't suggesting it wasn't too late - I've also asked to be removed - just pointing out that they've finally put something up. Albeit with no prominence - it's only when you go into their contact form page.

        1. This post has been deleted by its author

    2. Oliver Humpage

      Re: There's a message on their contact us page:

      > all password and payment information is and has always been safe

      Technically correct: passwords aren't exposed, and you don't get full credit card information.

      However, they're being extremely dishonest by not mentioning all the other crap (ordering on others' accounts, seeing all their addresses, etc, etc).

  13. ScaredyCat
    Mushroom

    Also....

    Might want to have a look at Immobilise issue

    https://ramblingrant.co.uk/immobilise-police-security-initiative-exposes-28-million-records/

    1. Destroy All Monsters Silver badge

      Re: Also....

      What the hell, what the hell, what the hell?

  14. Matt 94

    Relevant job posting

    https://moonpig.com/uk/Jobs/security-officer/

    The irony

  15. Tom 7

    Moonpig

    proof that you can sell a computer and a printer to a fuckwit and they will merely use it to connect to someone else's computer and printer.

    My daughters school were in the process of designing xmas cards to sent to someone else for printing and sending and taking a huge cut when I pointed out they had everything they needed to do it themselves and it would be a good excercise as part of business studies.

  16. RISC OS
    Joke

    Never heard of moonpig...

    ...but I see they sell greetings cards... I wonder if they have a "I'm sorry you have been hacked" card?

  17. Brian Davies

    Moonpig have replied to my request for information as follows:

    "You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.."

    1. breakfast Silver badge
      Facepalm

      Safe in the sense that it was nowhere near deep water or being set on fire. Not safe in the sense that anyone on the internet was being stopped from accessing it.

    2. Brian Davies

      I pressed them about my address/birthdays lists held on their site. They just sent me the above boilerplate again. I have asked the question once again but no response as yet.

  18. RISC OS
    Facepalm

    Look at the website

    and that shit logo... and teh name! moonpig!!! Does it really look trustworthy??? It sounds like some crap thrown together with the likes of sitebuildit

    https://www.google.co.uk/search?hl=en&q=sitebuildit&meta=cr%3DcountryUK|countryGB&gws_rd=ssl

  19. Aristotles slow and dimwitted horse

    I find it helps to have nomadic reclusive tendencies...

    The last thing I want to see over any form of public or other occasion are the mewing brattish faces of someone or their wife/husband/offspring/dog/cat/house/car etc that I either don't like or don't remember plastered on a last minute greetings card from this bunch of cowboys, or that other bunch of fuckwits Funky fucking pigeon (that I assume are either part of the same company or equally as shit when it comes to security).

    /end_rant

  20. wolfetone Silver badge
    WTF?

    Response to my request

    Well basically I emailed them the following:

    "Please close my account with the email address provided. You're not a safe company to deal with, especially as you were told about this issue 18 months ago. If you're looking at it now why couldn't you do it 18 months ago? Oh yeah, that's right: it'll cost money.

    Delete all my information from your account please."

    The response:

    "Thank you for taking the time to contact us here at Moonpig.

    We are sorry to hear that you would like us to close your account and understand your concerns. We have now carried out your request.

    We would like to assure you that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.

    As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.

    If at any point you wish to reopen your account just let us know and we will be very happy to welcome you back.

    Kind regards,

    Nicholas"

    How can they reopen my account if it's been deleted?

    1. Disgruntled of TW

      Re: Response to my request

      @wolfetone Ask them! :-)

      CC the ICO.

    2. Obitim

      Re: Response to my request

      I'd also be interested in the response!

      1. wolfetone Silver badge

        Re: Response to my request

        Here is the response.

        I sent back:

        "How can you reopen my account if I've asked you to delete it? If it's deleted it shouldn't be recoverable?

        Please, delete my data. All of it. Properly. "

        They said:

        "Thank you for taking the time to get back in contact.

        We have now requested that all personal details relating to your account be removed. Please bear in mind that you will no longer have access to your order history. Should you wish to re-open an account in the future you would be able to use the same email address but lose access to any previous orders.

        If you require any more assistance or information please feel free to contact us further and we will be more than happy to assist."

        I didn't CC the ICO in it, should have done. But I don't feel totally confident that they will do what they said to be honest.

  21. RainForestGuppy

    I share the opinions:-

    "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architect this system needs to be waterboarded," Price said

  22. Anonymous Coward
    FAIL

    I can still log on

    I "deleted" my account with them, and specifically asked for deletion, not just flagging as deleted or dormant, and got a confirmation email from them that it has been done. Great!

    Guess what - I CAN STILL LOG ON, and see my order history, contact addresses, reminders etc.

    Omnishambles!

    1. Obitim

      Re: I can still log on

      Checked mine this morning after that little horror story - thankfully it's definitely gone!

  23. This post has been deleted by its author

  24. Anonymous Coward
    Anonymous Coward

    That's one hot piggy

    I want a taste of that meat.

  25. Mike Flugennock
    Coffee/keyboard

    "Moonpig"?

    P'wah ha ha ha ha haahh.

    Honestly, I'd never heard of this site until I saw this article today.

    "Moonpig"? Who the hell came up with that one... and where can I get a quarter OZ of what they were smoking at the time?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like