Touchnote, an online service which takes your digital photographs and then sends them to loved ones as a physical postcard, has been hacked.
The company has sent an email alert to registered users today, advising them that their names, email addresses and order history has been accessed by an unauthorised party. Furthermore, the company is recommending that users change their passwords.
Part of the email reads as follows:
On 4th November 2015 we received information confirming that Touchnote has been the victim of criminal activity, resulting in the theft of some of our customer data.
The data that was accessed included your name, email address, postal address and your Touchnote order history, registered with
Touchnote does not store your full credit/debit card number, expiry date or security code. Therefore, this information was not accessed.
The data that was accessed included the last four digits of your card number (e.g. XXXX XXXX XXXX 1234) which on its own cannot be used for making financial transactions.
As always, though, we recommend you continue to monitor your card statements and report any suspicious transactions to your card provider.
Your password has not been revealed, but we recommend you change it now
We encrypt all passwords and never store them in plain format. For example, if your password was ‘hello’ it will have appeared in our database as a random combination of letters and digits.
Nonetheless, as a precaution, we do recommend that you change your Touchnote password immediately.
Touchnote goes on sensibly to remind users to ensure that they are not using the same password at any other service.
It should go without saying that you should be on your guard against attempts by the hackers to exploit the information by, for instance, sending out phishing campaigns to the stolen list of email addresses.
https://twitter.com/touchnote/status/662665893235789824
At the time of writing Touchnote’s website appears to be struggle to cope with traffic, as concerned users visit it for further information.
1) Hackers now have full names and postal addresses for thousands of email addresses. That is really bad. The dark web will benefit from that.
2) Touchnote then have the effrontery to suggest users go to an unencrypted web portal to sign in (revealing usernames and passwords in plain text to wire-sharks) at http://www.touchnote.com/users/signin where the form tag is form id=”signinForm” name=”UserLogin” method=”post” action=”/users/signin” (ie. no hand-on to an https address)
I despair of these idiots!
Just tried http://www.touchnote.com/users/signin in a browser.
It 302 redirected me to https://www.touchnote.com/users/signin
Is that not Ok?