And this, kids, is what happens when you re-use login credentials across sites. Posted on Moonpig’s site on July 26th:
Late on Friday, 24 July, we became aware of a security issue whereby a number of Moonpig customer email addresses, account balance and passwords had been illegally published. As a precautionary measure, we promptly closed our Moonpig site and apps to help us investigate and contain this issue.
Following these investigations, we now have strong evidence that the customer email addresses and passwords we identified were taken previously from other third party websites, and not directly from Moonpig.com. This data was then used to access the account balances of some of our Moonpig.com customers. As a reminder, we do not store full credit card information ourselves so this data was not accessible in any event.
We promptly contacted all our impacted customers advising them we had disabled their passwords to prevent any further access from the third party. Affected customers will now need to reset their passwords the next time they log in to the Moonpig.com site. We have also encouraged them to reset their passwords for other sites and services, particularly if they use the same combination. If you haven’t heard from us, but you are still concerned, then we recommend you reset the passwords you use for Moonpig and for other sites. Please note, that our Customer Service team cannot access your password – it is personal to you.
We have now completed our final security checks and investigations and have taken the decision to reopen our website and apps. We take our customer security very seriously and are very sorry for the concern or inconvenience this may have caused. Our team continues to work hard to put further processes in place to prevent any similar events from occurring in the future.
As Barclay Ballard notes, however, even if this wasn’t Moonpig’s fault (i.e., the logins were acquired elsewhere), they will likely take the reputation hit, especially since this wasn’t their first breach this year:
That being said, this is not the first time that Moonpig customers have had to deal with a high-profile security breach. Back in January, it was reported that a flaw in the service’s mobile app enabled anyone to access a user’s account without a password or username, so long as they entered a valid customer ID.