Touchnote hacked – tells users to reset their passwords

Graham Cluley

Touchnote hacked - tells users to reset their passwords

Touchnote 600 1

Touchnote, an online service which takes your digital photographs and then sends them to loved ones as a physical postcard, has been hacked.

The company has sent an email alert to registered users today, advising them that their names, email addresses and order history has been accessed by an unauthorised party. Furthermore, the company is recommending that users change their passwords.

Touchnote email

Part of the email reads as follows:

On 4th November 2015 we received information confirming that Touchnote has been the victim of criminal activity, resulting in the theft of some of our customer data.

The data that was accessed included your name, email address, postal address and your Touchnote order history, registered with

Touchnote does not store your full credit/debit card number, expiry date or security code. Therefore, this information was not accessed.

The data that was accessed included the last four digits of your card number (e.g. XXXX XXXX XXXX 1234) which on its own cannot be used for making financial transactions.

As always, though, we recommend you continue to monitor your card statements and report any suspicious transactions to your card provider.

Your password has not been revealed, but we recommend you change it now

We encrypt all passwords and never store them in plain format. For example, if your password was ‘hello’ it will have appeared in our database as a random combination of letters and digits.

Nonetheless, as a precaution, we do recommend that you change your Touchnote password immediately.

Touchnote goes on sensibly to remind users to ensure that they are not using the same password at any other service.

It should go without saying that you should be on your guard against attempts by the hackers to exploit the information by, for instance, sending out phishing campaigns to the stolen list of email addresses.

At the time of writing Touchnote’s website appears to be struggle to cope with traffic, as concerned users visit it for further information.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Touchnote hacked – tells users to reset their passwords”

  1. 1) Hackers now have full names and postal addresses for thousands of email addresses. That is really bad. The dark web will benefit from that.
    2) Touchnote then have the effrontery to suggest users go to an unencrypted web portal to sign in (revealing usernames and passwords in plain text to wire-sharks) at http://www.touchnote.com/users/signin where the form tag is form id=”signinForm” name=”UserLogin” method=”post” action=”/users/signin” (ie. no hand-on to an https address)

    I despair of these idiots!

    1. Just tried http://www.touchnote.com/users/signin in a browser.
      It 302 redirected me to https://www.touchnote.com/users/signin

      Is that not Ok?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.