The Moonpig Bug: How 3,000,000 Customers' Details Were Exposed

  • Published on: 06 January 2015
  • It's been all over the British news today: developer Paul Price found a bug in photo-crap-maker Moonpig's site, one that might have exposed three million users' personal information. Paul's got a great technical post about it at -- but there's no decent non-techie explanation except for the one-paragraph summaries in newspapers. It was a perfect storm of tech incompetence: here's how to avoid doing it yourself.
  • Runtime : 5:27
  • tom scott tomscott Moonpig (Business Operation) bug vulnerability Paul Price Moonpig authentication token password oauth security computer security Computer Security (Software Genre) Security (Literature Subject)


  • mad ass
    mad ass   3 days ago

    The gifter that keeps on gifting...

  • vin 950
    vin 950   1 weeks ago

    am I the only one who thinks that Paul Price is an unsung hero?

  • pravoslavn
    pravoslavn   1 weeks ago

    I have subscribed to your YouTube channel, largely because I find your very proper British diction to be quite mellifluous. As an American, I am utterly ashamed of the slovenly way we speak the English language... it is ignorant, crass and embarrassing. So I pay attention when I hear eloquently spoken English, and try to improve my own usage. May I ask, what city or shire is represented in your most pleasing use of the language? (Bless you, and keep up the good work!)

  • John Morgan
    John Morgan   2 weeks ago do you use a credit card to mine bitcoin?!?!?

  • Daniel Zazula
    Daniel Zazula   3 weeks ago

    Sure, hire the cheapest programmer, what could go wrong?

  • Shane Wright
    Shane Wright   1 months ago

    Sounds like they had a little too much faith in the old "security by obscurity" paradigm.

  • Rei
    Rei   1 months ago


  • CoolAsFreya
    CoolAsFreya   1 months ago

    As a networking student "never trust user input" and "treat everything as malicious until proven otherwise" are the two biggest rules in setting any network or service up

  • 57thorns
    57thorns   1 months ago

    Let me rephrase what you said at 4:39 : It was an outright lie because that information has demonstrably been unsafe for a long time.l

  • Mateus Bittencourt
    Mateus Bittencourt   2 months ago

    Do anyone knows when (if) they fixed this... and did they said anything more about it?

  • Cactyne Mann
    Cactyne Mann   2 months ago

    "it would thousands of years to guess someone else's-" or just an Adderall and a metric tonne of luck

  • ceruchi
    ceruchi   2 months ago

    What cravens. "Username and password is and has always been safe." If any real-life store treated its customers so flippantly, it would be shunned.

  • Icalasari
    Icalasari   2 months ago

    I love how THREE YEARS LATER, the description doesn't have a response edited inGuess Moonpig never learned...

  • armycadets
    armycadets   2 months ago

    One of my favorite things I've ever put into a site is on the password change form I put a hidden field named user-id with a random number. The number is checked for accuracy on submit and if it's been modified it bans the IP and account. I get a good laugh every few months. And the security log event type is labeled "trapcard"

  • Veprah
    Veprah   2 months ago


  • Marcus F
    Marcus F   2 months ago

    I once had the pleasure of doing some updates on an accountants website. I discovered that as well as all their clients passwords being stored in plain text, their uploaded accounts documents were stored in a publicly accessible folder with consecutive ids as file names. To be fair the company I worked for had me update the code at no cost the customer.I was amazed at how many passwords were in the format: [username]123 ...!

  • Roedy Green
    Roedy Green   2 months ago

    It looks like the coder had no clue what the token was for. They were just blindly coding to a spec.

  • Petar Todorov
    Petar Todorov   4 months ago

    231 weeks since this video was uploaded. Tom hasn't updated the video description with moonpig's response yet...

  • alte Bänder
    alte Bänder   4 months ago

    The problem is that currently "Apps" and "Web services" are typical fashionable areas of software development. Therefore many beginners will start with it. Beginners obviously aren't very experienced at what they do as they are beginners. Adding to that web and app development isn't very appealing to experienced developers. After all much of its core concepts go against basic sensible rules of how UIs work. I mean why bother stringing together individual requests into a session when virtually every other platform makes sure your program just seems to run continuously.Adding to that is of course that beginners typically charge far less than more experienced programmers. Why pay a more experienced programmer 800 Euros or more a month, when the kid next door will do it for 400?

  • ItsAgentD
    ItsAgentD   5 months ago

    I remember back in the day when I was making a control panel for a game server and ran it on my test server. It was hacked within minutes by a friend just because I didn't check the input of 1 script causing my friend to get access to admin on the server and causing mayhem. I just didn't escape anything for one field and that was my downfall. Luckily I asked a friend to test the security and it was on a test server. You should never release something on a live machine until it has been tested.

  • Garraway Prox
    Garraway Prox   6 months ago

    To be honest, if I (not a computer nerd) were to find such useless security measures, I'd attack it just to prove it to them and then post my findings online.

  • Zach K
    Zach K   6 months ago

    I agree with you; something my uncle always says: whatever you program, try to get it to fail. Don't program it to fail, but test it and try to get it to fail so you can fix it. That's one of the reasons I like ethical hackers so much and the companies that use them; you know they won't easily fail to simple security flaws. Kudos to anyone who finds these issues and reports them urgently, safely, and carefully.

  • Tiax Anderson
    Tiax Anderson   6 months ago

    The description hasn't been changed with a reply by the looks of it. I guess they never got back to Tom.

  • Daniel Dugovic
    Daniel Dugovic   6 months ago

    Huh, why are developers the ones responsible for design decisions? Of course being security-minded never hurts, but surely a security culture is necessary to produce secure software.

  • Ginger Ninja
    Ginger Ninja   7 months ago

    Tom should enter SAS: Who dares wins. He’d fail but it would be worth watching.

  • Narkopop
    Narkopop   8 months ago

    🎶Moonpig dot com🎶

  • Richard Vaughn
    Richard Vaughn   9 months ago

    The problem wasn't consecutive IDs, the problem was that the server was allowing someone to request data for a user ID when the person requesting it should have not been able to see it.Even with completely random IDs you can simply brute-force them and fetch the user details.

  • Julian Danzer
    Julian Danzer   9 months ago

    unfortunately a pentests are not guarantees either - there are a few examples of double and triple pentested sites and applications with huge security holes

  • René Price
    René Price   9 months ago

    * hears intro *You hate moonpig. 100%I

  • supl1an
    supl1an   10 months ago

    What do you expect from a company named "Moonpig"...

  • TrueVerdicts
    TrueVerdicts   10 months ago

    Inside that jacket is a red shirt.. don't worry the world isn't going to end just quite yet.

  • 6 6
    6 6   10 months ago

    Rule number one. Apps are for tards.

  • Willby Hudson
    Willby Hudson   10 months ago

    remembers the thing I coded last night. Runs back to it to fix it.