Moonpig users hacked as hundreds of pounds worth of gifts sent to criminals


Moonpig customers are complaining of their accounts being hacked as hundreds of pounds worth of gifts are sent to anonymous addresses.

Dozens of customers have taken to social media to report the fraudulent activity on their accounts, with many seeing “expensive things” like £40 bottles of alcohol sent as gifts to the hackers.

One user Tweeted that they had been forced to cancel “£100 worth of stuff” while another said their bank had asked them to approve a £171 purchase on the site.

Moonpig told The Mirror, who first reported the security breach, that customers card details were safe.

“We’d like to confirm that the Moonpig website has not been hacked and it remains safe for everyone to use.

“During the last month we’ve seen an increase in ‘credential stuffing’ attempts on our site. This is an activity where criminals use login credentials (username and password combinations) stolen from other websites to try to log in to individual customer accounts.

“Unfortunately, in some cases, the fraudsters did manage to gain access to some accounts. Where payment card details were saved with our payment provider, they also managed to place some fraudulent orders.

READ MORE: 460,000 Uniqlo accounts hacked in major breach

“But please be reassured that all impacted customers have been identified and the fraudulent orders have been cancelled and refunded. It’s also important to note that since we do not store card details within our system (they are stored via our payment provider), no card details of our customers have been exposed or accessed.

“The security of our customers is our first and foremost priority and we encourage everyone to use a strong, unique password for their account as it’s one of the best protections against fraudsters like this. If the login details are not used anywhere else online, then the fraudsters won’t be able to access the account with stolen credentials.”

Click here to sign up to Charged‘s free daily email newsletter



2 Comments. Leave new

  • Avatar
    Christopher Hutton
    August 12, 2020 12:42 pm

    Attacks like this can be prevented without change to the user’s happy path experience through:
    – strong device fingerprinting on the browser,
    – location evaluation
    – bot detection
    – behavioural biometrics

  • This happened to me yesterday. Confirmation of 3 orders placed on Oct 7th to an address in Bristol, when I live in Hampshire. Contacted my credit card co and will contact Moonpig when they open tomorrow am.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.



Sign up to our daily newsletter to get all the latest retail tech news and insights direct to your inbox.

  • This field is for validation purposes and should be left unchanged.