Moonpig customers have become the latest victims of so-called “credential stuffing”, which affects consumers who are too lazy to have different log-in details and passwords for all the sites they visit, following complaints that hackers are stealing hundreds of pounds worth of gifts to send to anonymous addresses.
Customers have taken to social media to report the fraudulent activity on their accounts, with many seeing £40 bottles of alcohol sent as gifts to the other people.
One user Tweeted that they had been forced to cancel “£100 worth of stuff” while another said their bank had asked them to approve a £171 purchase on the site.
Moonpig insists customers card details are safe.
In a statement, the firm said: “We’d like to confirm that the Moonpig website has not been hacked and it remains safe for everyone to use. During the last month we’ve seen an increase in ‘credential stuffing’ attempts on our site. This is an activity where criminals use login credentials (username and password combinations) stolen from other websites to try to log in to individual customer accounts.
“Unfortunately, in some cases, the fraudsters did manage to gain access to some accounts. Where payment card details were saved with our payment provider, they also managed to place some fraudulent orders.
“But please be reassured that all impacted customers have been identified and the fraudulent orders have been cancelled and refunded. It’s also important to note that since we do not store card details within our system (they are stored via our payment provider), no card details of our customers have been exposed or accessed.
“The security of our customers is our first and foremost priority and we encourage everyone to use a strong, unique password for their account as it’s one of the best protections against fraudsters like this. If the login details are not used anywhere else online, then the fraudsters won’t be able to access the account with stolen credentials.”
Earlier this year, Boots took the unprecedented step of suspending payments using Advantage Card loyalty points – both instore and online – amid a wave of attacks from hackers attempting to break into customers’ accounts using stolen credentials.
The move came just 48 hours after Tesco re-issued hundreds of thousands of Clubcards to combat a similar issue, triggered by the fact that so many consumers use the same username and password across numerous accounts.
Boots suspends Advantage Card payments over attack
Tesco Clubcard shields ‘lazy’ members in mass re-issue
Loyalty card fraud trial exposes ‘back door’ data theft
Morrisons man is spared jail after More loyalty fraud
Loyalty scheme chief gets 16 months for £200k fraud
Tesco warns of Clubcard theft threat