Online cards company Moonpig breached again

Online greeting card company Moonpig admitted earlier this week that it had suffered another security breach, which led to user details being published online.

The UK-based firm began contacting subscribers about the breach on Wednesday, and issued the response below on its website.

“Late on Friday, 24 July, we became aware of a security issue whereby a number of Moonpig customer email addresses, account balance and passwords had been illegally published. As a precautionary measure, we promptly closed our Moonpig site and apps to help us investigate and contain this issue,” the company explained.

“Following these investigations, we now have strong evidence that the customer email addresses and passwords we identified were taken previously from other third party websites, and not directly from Moonpig.com.”

Some customer passwords had been disabled and would need to be reset:

Moonpig does not store credit card information itself, so the damage from this attack is limited. That said, this is the second time the service has been hit this year; back in January, a flaw in the service's mobile app enabled anyone to access a user's account without a password or username, so long as they entered a valid customer ID.