Touchnote hacked – tells users to reset their passwords

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Touchnote 600 1

Touchnote, an online service which takes your digital photographs and then sends them to loved ones as a physical postcard, has been hacked.

The company has sent an email alert to registered users today, advising them that their names, email addresses and order history has been accessed by an unauthorised party. Furthermore, the company is recommending that users change their passwords.

Touchnote email

Sign up to our free newsletter.
Security news, advice, and tips.

Part of the email reads as follows:

On 4th November 2015 we received information confirming that Touchnote has been the victim of criminal activity, resulting in the theft of some of our customer data.

The data that was accessed included your name, email address, postal address and your Touchnote order history, registered with

Touchnote does not store your full credit/debit card number, expiry date or security code. Therefore, this information was not accessed.

The data that was accessed included the last four digits of your card number (e.g. XXXX XXXX XXXX 1234) which on its own cannot be used for making financial transactions.

As always, though, we recommend you continue to monitor your card statements and report any suspicious transactions to your card provider.

Your password has not been revealed, but we recommend you change it now

We encrypt all passwords and never store them in plain format. For example, if your password was ‘hello’ it will have appeared in our database as a random combination of letters and digits.

Nonetheless, as a precaution, we do recommend that you change your Touchnote password immediately.

Touchnote goes on sensibly to remind users to ensure that they are not using the same password at any other service.

It should go without saying that you should be on your guard against attempts by the hackers to exploit the information by, for instance, sending out phishing campaigns to the stolen list of email addresses.

https://twitter.com/touchnote/status/662665893235789824

At the time of writing Touchnote’s website appears to be struggle to cope with traffic, as concerned users visit it for further information.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Touchnote hacked – tells users to reset their passwords”

  1. graphicequaliser

    1) Hackers now have full names and postal addresses for thousands of email addresses. That is really bad. The dark web will benefit from that.
    2) Touchnote then have the effrontery to suggest users go to an unencrypted web portal to sign in (revealing usernames and passwords in plain text to wire-sharks) at http://www.touchnote.com/users/signin where the form tag is form id=”signinForm” name=”UserLogin” method=”post” action=”/users/signin” (ie. no hand-on to an https address)

    I despair of these idiots!

    1. maybe · in reply to graphicequaliser

      Just tried http://www.touchnote.com/users/signin in a browser.
      It 302 redirected me to https://www.touchnote.com/users/signin

      Is that not Ok?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.