The Moonpig Bug: How 3,000,000 Customers' Details Were Exposed

  • Published on: 06 January 2015
  • It's been all over the British news today: developer Paul Price found a bug in photo-crap-maker Moonpig's site, one that might have exposed three million users' personal information. Paul's got a great technical post about it at -- but there's no decent non-techie explanation except for the one-paragraph summaries in newspapers. It was a perfect storm of tech incompetence: here's how to avoid doing it yourself.
  • Runtime : 5:27
  • tom scott tomscott Moonpig (Business Operation) bug vulnerability Paul Price Moonpig authentication token password oauth security computer security Computer Security (Software Genre) Security (Literature Subject)


  • notthere83
    notthere83   1 weeks ago

    Wow, at least based on a brief Google search, it seems this didn't impact their business at all?

  • John CO.
    John CO.   2 weeks ago

    I... I don't think they're going to respond...

  • TcheQ _
    TcheQ _   2 weeks ago

    166 dupe accounts of moonpig execs downvoted this

  • Lady Genesis
    Lady Genesis   3 weeks ago

    It's been 5 years and they still haven't gotten back to him. Dang moonpig, that's cold.

  • Armatix
    Armatix   4 weeks ago

    344aab9758bb0d018b93739e7893fb3anever gonna give you up

  • Cyber0 Punk
    Cyber0 Punk   1 months ago

    imagine using the Customer ID as identification, what a shitty move from Moonping lmao

  • Cailean Parker
    Cailean Parker   1 months ago

    To quote my boss: "Security through obscurity is little better than no security at all."

  • DancingCheese
    DancingCheese   1 months ago

    Being a pentester sounds fun. You get to be a malicious hacker but without the jailtime!

  • Beenis
    Beenis   2 months ago

    Companies: writing bad code Tom: "yall are getting paid?"

  • Eduardo
    Eduardo   2 months ago

    Wow that's the greatest display of ineptitude I've seen in a long time.

  • mad ass
    mad ass   3 months ago

    The gifter that keeps on gifting...

  • vin 950
    vin 950   3 months ago

    am I the only one who thinks that Paul Price is an unsung hero?

  • pravoslavnik
    pravoslavnik   3 months ago

    I have subscribed to your YouTube channel, largely because I find your very proper British diction to be quite mellifluous. As an American, I am utterly ashamed of the slovenly way we speak the English language... it is ignorant, crass and embarrassing. So I pay attention when I hear eloquently spoken English, and try to improve my own usage. May I ask, what city or shire is represented in your most pleasing use of the language? (Bless you, and keep up the good work!)

  • John Morgan
    John Morgan   3 months ago do you use a credit card to mine bitcoin?!?!?

  • Daniel Zazula
    Daniel Zazula   3 months ago

    Sure, hire the cheapest programmer, what could go wrong?

  • Shane Wright
    Shane Wright   4 months ago

    Sounds like they had a little too much faith in the old "security by obscurity" paradigm.

  • Rei
    Rei   4 months ago


  • CoolAsFreya
    CoolAsFreya   4 months ago

    As a networking student "never trust user input" and "treat everything as malicious until proven otherwise" are the two biggest rules in setting any network or service up

  • 57thorns
    57thorns   5 months ago

    Let me rephrase what you said at 4:39 : It was an outright lie because that information has demonstrably been unsafe for a long time.l

  • Mateus Bittencourt
    Mateus Bittencourt   5 months ago

    Do anyone knows when (if) they fixed this... and did they said anything more about it?

  • Cactyne Mann
    Cactyne Mann   5 months ago

    "it would thousands of years to guess someone else's-" or just an Adderall and a metric tonne of luck

  • ceruchi
    ceruchi   5 months ago

    What cravens. "Username and password is and has always been safe." If any real-life store treated its customers so flippantly, it would be shunned.

  • Icalasari
    Icalasari   5 months ago

    I love how THREE YEARS LATER, the description doesn't have a response edited inGuess Moonpig never learned...

  • armycadets
    armycadets   5 months ago

    One of my favorite things I've ever put into a site is on the password change form I put a hidden field named user-id with a random number. The number is checked for accuracy on submit and if it's been modified it bans the IP and account. I get a good laugh every few months. And the security log event type is labeled "trapcard"

  • Veprah
    Veprah   5 months ago


  • Marcus F
    Marcus F   6 months ago

    I once had the pleasure of doing some updates on an accountants website. I discovered that as well as all their clients passwords being stored in plain text, their uploaded accounts documents were stored in a publicly accessible folder with consecutive ids as file names. To be fair the company I worked for had me update the code at no cost the customer.I was amazed at how many passwords were in the format: [username]123 ...!

  • Roedy Green
    Roedy Green   6 months ago

    It looks like the coder had no clue what the token was for. They were just blindly coding to a spec.

  • Petar Todorov
    Petar Todorov   7 months ago

    231 weeks since this video was uploaded. Tom hasn't updated the video description with moonpig's response yet...

  • alte Bänder
    alte Bänder   8 months ago

    The problem is that currently "Apps" and "Web services" are typical fashionable areas of software development. Therefore many beginners will start with it. Beginners obviously aren't very experienced at what they do as they are beginners. Adding to that web and app development isn't very appealing to experienced developers. After all much of its core concepts go against basic sensible rules of how UIs work. I mean why bother stringing together individual requests into a session when virtually every other platform makes sure your program just seems to run continuously.Adding to that is of course that beginners typically charge far less than more experienced programmers. Why pay a more experienced programmer 800 Euros or more a month, when the kid next door will do it for 400?

  • ItsAgentD
    ItsAgentD   9 months ago

    I remember back in the day when I was making a control panel for a game server and ran it on my test server. It was hacked within minutes by a friend just because I didn't check the input of 1 script causing my friend to get access to admin on the server and causing mayhem. I just didn't escape anything for one field and that was my downfall. Luckily I asked a friend to test the security and it was on a test server. You should never release something on a live machine until it has been tested.

  • Garraway Prox
    Garraway Prox   10 months ago

    To be honest, if I (not a computer nerd) were to find such useless security measures, I'd attack it just to prove it to them and then post my findings online.

  • Zach K
    Zach K   10 months ago

    I agree with you; something my uncle always says: whatever you program, try to get it to fail. Don't program it to fail, but test it and try to get it to fail so you can fix it. That's one of the reasons I like ethical hackers so much and the companies that use them; you know they won't easily fail to simple security flaws. Kudos to anyone who finds these issues and reports them urgently, safely, and carefully.