Pinterest Stumbleupon Whatsapp

Online greetings card store Moonpig exposed customer data to hackers for at least 15 months, despite warnings from an expert that there was a hole that needed to be plugged.

There are multiple lessons here. The first: corporate arrogance is dangerous. Second: it’s important for customers to educate themselves, and make sure companies are working to keep them secure. And the third: a “known name” isn’t necessarily a safe one.

Moonpig is an online greetings card store that sells custom-designed cards and mugs through their website. Hugely popular (thanks to regular TV advertising), Moonpig shipped 6 million cards in in the UK in 2007. While a British site (based in London and the Channel Island of Guernsey), this is a situation that affects shoppers and online store owners around the world.

The Moonpig Hack: What Happened?

Back in 2013, developer Paul Price discovered that mobile API requests on the website could be hacked, thereby enabling criminal hackers to place orders on any account. Additionally, Data such as customer names, date of birth, address, credit card expiries and the last four digits of the card could be viewed.


Websites that offer online shopping usually provide rate limiters that reduce the impact of automated scripts, but Moonpig omitted to do this, making it an easy, open target for hackers.


Initially informed by Price of the vulnerability in mid-2013, Moonpig claimed that they would fix it right away; 18 months later, the vulnerability remained.

Said Price when he published details of the vulnerability online:

“I’ve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architect this system needs to be waterboarded. Every API request is like this: there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add or retrieve card information, view saved addresses, view orders and much more.”

Essentially, basic authentication was being used and account data revealed without authentication checks.

Price decided to go public with the hack after Moonpig responded to his follow-up contact in September 2014 to have the fix in place by Christmas. When he revealed all on January 5th, it had yet to be plugged.

Moonpig’s Reaction To The Hack

The lesson of this story isn’t so much about the hack – they’re happening more and more in the online shopping industry – but about the attitude of the company, and what this means to consumers.

If we consider the volume of hacks over the past couple of years, such as still-unexplained eBay leak The eBay Data Breach: What You Need To Know The eBay Data Breach: What You Need To Know Read More and Target losing 40 million credit cards Target Confirms Up To 40 Million US Customers Credit Cards Potentially Hacked Target Confirms Up To 40 Million US Customers Credit Cards Potentially Hacked Target has just confirmed that a hack could have compromised the credit card information for up to 40 million customers that have shopped in its US stores between November 27th and December 15th of 2013. Read More  then we can see that there seems to be at best an ignorance, at worst utter complacency, towards online security.

Take, for example, the Moonpig response to the news:

This attempt at damage limitation was immediately called out:

Public Relations disaster aside, Moonpig’s inability to deal with the issue in a timely manner highlights the importance of regular running penetration tests on Internet facing websites, as well as responding to security advisories promptly.

How Customers Can Benefit From Security Vulnerabilities

It isn’t clear if any data was stolen from Moonpig via this vulnerability, and based on their damage limitation efforts so far they probably wouldn’t share the information even if they had it.

The endless issues with online shopping security over the past 24 months or so have begun to undermine confidence in the industry. While eBay is giving little away at this stage, for instance (and never confirmed how their data was hacked) it’s remarkable drive towards free listings and other bonuses during the middle of 2014 suggests a lot of users stayed away.


Short of launching civil actions against these companies, the only real steps customers can take against the flagrant misuse and insecurity of their data (and if you’re a customer it’s worth checking for any promises of data security in your original terms and conditions) is to vote with their wallets.

With the explosion in courier services and drone deliveries, vast warehouses around the country and vast deliveries, Amazon is proving how to fulfil customer orders and keep their data safe (so far). Other companies should be using Amazon as an example, rather than a rough template to attempt to mimic. Failure to do this can only result in the end of online shopping – or the total dominance of Amazon.

Only by taking steps to shop elsewhere can we benefit from online stores taking their responsibilities seriously.

Don’t Quit Online Shopping Yet: Just Shop Smarter

Over the past couple of years we’ve seen far too many big names hacked. But these intrusions, and subsequent data leaks, don’t mean that you have to remain a customer. In fact, you should do the opposite and head for the more secure competitors, or shop locally, instead. If you’re caught out and shop at a site that is hacked, you might also consider these alternative options Store You Shop At Get Hacked? Here's What To Do Store You Shop At Get Hacked? Here's What To Do Read More .

Of course, you might have a better solution. So use the comments to share it, and any related stories you may have.

Image Credit: Shopping online via Shutterstock

Leave a Reply

Your email address will not be published. Required fields are marked *