Moonpig customers are complaining of their accounts being hacked as hundreds of pounds worth of gifts are sent to anonymous addresses.
Dozens of customers have taken to social media to report the fraudulent activity on their accounts, with many seeing “expensive things” like £40 bottles of alcohol sent as gifts to the hackers.
One user Tweeted that they had been forced to cancel “£100 worth of stuff” while another said their bank had asked them to approve a £171 purchase on the site.
Moonpig told The Mirror, who first reported the security breach, that customers card details were safe.
@MoonpigUK hi, my moonpig account has been hacked and items ordered 🤬 I’ve changed my password and address info back to my own and contacted my bank. Thought you should know too??
— Tinny oliver (@tinny1979) August 9, 2020
@MoonpigUK my daughters moonpig account appears to either have been subject to a hack or a system glitch. An order she hasn't placed is on its way & money is in the process of being taken from her account. Please advise on next step.
— Judith Stokoe (@JudithStokoe) July 12, 2020
Yay to finding out at 00:20 that I’d been hacked by moonpig and both my bank and PayPal accounts have had money taken out of them🙄 here I am at 00:40 on the phone trying to sort it😣
— Gabbie Cates (@GabbieCates123) July 18, 2020
“We’d like to confirm that the Moonpig website has not been hacked and it remains safe for everyone to use.
“During the last month we’ve seen an increase in ‘credential stuffing’ attempts on our site. This is an activity where criminals use login credentials (username and password combinations) stolen from other websites to try to log in to individual customer accounts.
“Unfortunately, in some cases, the fraudsters did manage to gain access to some accounts. Where payment card details were saved with our payment provider, they also managed to place some fraudulent orders.
READ MORE: 460,000 Uniqlo accounts hacked in major breach
“But please be reassured that all impacted customers have been identified and the fraudulent orders have been cancelled and refunded. It’s also important to note that since we do not store card details within our system (they are stored via our payment provider), no card details of our customers have been exposed or accessed.
“The security of our customers is our first and foremost priority and we encourage everyone to use a strong, unique password for their account as it’s one of the best protections against fraudsters like this. If the login details are not used anywhere else online, then the fraudsters won’t be able to access the account with stolen credentials.”
Click here to sign up to Charged‘s free daily email newsletter
2 Comments. Leave new
Attacks like this can be prevented without change to the user’s happy path experience through:
– strong device fingerprinting on the browser,
– location evaluation
– bot detection
– behavioural biometrics
This happened to me yesterday. Confirmation of 3 orders placed on Oct 7th to an address in Bristol, when I live in Hampshire. Contacted my credit card co and will contact Moonpig when they open tomorrow am.