Moonpig user details leaked online after third party breach

Moonpig has suffered another security breach, leading to user details being published online.

The greeting card company has begun contacting subscribers about the leaked information and has also issued a response on its website.

Read more: Moonpig and Snapchat breaches show “abused” state of API security

A Moonpig spokesperson said that an investigation into the breach was underway and that some customer passwords had been disabled and would now need to be reset.

“Late on Friday, 24 July, we became aware of a security issue whereby a number of Moonpig customer email addresses, account balance and passwords had been illegally published. As a precautionary measure, we promptly closed our Moonpig site and apps to help us investigate and contain this issue,” the company explained.

“Following these investigations, we now have strong evidence that the customer email addresses and passwords we identified were taken previously from other third party websites, and not directly from Moonpig.com.”

When identical usernames and passwords are used across multiple sites, a security breach can enable cyber attackers to access a number of different accounts. Fortunately, Moonpig does not store credit card information itself, so the direct damage to customers is limited.

That being said, this is not the first time that Moonpig customers have had to deal with a high-profile security breach. Back in January, it was reported that a flaw in the service’s mobile app enabled anyone to access a user’s account without a password or username, so long as they entered a valid customer ID.

Read more: Is poor API security affecting your business?

For many businesses, including Moonpig, security flaws are worrying not only because of the damage caused to the customer, but due to the blemishes they leave on a company’s reputation.