Touchnote hacked - tells users to reset their passwords

Touchnote 600 1

Touchnote, an online service which takes your digital photographs and then sends them to loved ones as a physical postcard, has been hacked.

The company has sent an email alert to registered users today, advising them that their names, email addresses and order history has been accessed by an unauthorised party. Furthermore, the company is recommending that users change their passwords.

Touchnote email

Part of the email reads as follows:

On 4th November 2015 we received information confirming that Touchnote has been the victim of criminal activity, resulting in the theft of some of our customer data.

The data that was accessed included your name, email address, postal address and your Touchnote order history, registered with

Touchnote does not store your full credit/debit card number, expiry date or security code. Therefore, this information was not accessed.

The data that was accessed included the last four digits of your card number (e.g. XXXX XXXX XXXX 1234) which on its own cannot be used for making financial transactions.

As always, though, we recommend you continue to monitor your card statements and report any suspicious transactions to your card provider.

Your password has not been revealed, but we recommend you change it now

We encrypt all passwords and never store them in plain format. For example, if your password was ‘hello’ it will have appeared in our database as a random combination of letters and digits.

Nonetheless, as a precaution, we do recommend that you change your Touchnote password immediately.

Touchnote goes on sensibly to remind users to ensure that they are not using the same password at any other service.

It should go without saying that you should be on your guard against attempts by the hackers to exploit the information by, for instance, sending out phishing campaigns to the stolen list of email addresses.

At the time of writing Touchnote's website appears to be struggle to cope with traffic, as concerned users visit it for further information.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

2 Responses

  1. graphicequaliser

    November 9, 2015 at 12:11 pm #

    1) Hackers now have full names and postal addresses for thousands of email addresses. That is really bad. The dark web will benefit from that.
    2) Touchnote then have the effrontery to suggest users go to an unencrypted web portal to sign in (revealing usernames and passwords in plain text to wire-sharks) at http://www.touchnote.com/users/signin where the form tag is form id=”signinForm” name=”UserLogin” method=”post” action=”/users/signin” (ie. no hand-on to an https address)

    I despair of these idiots!

    • maybe in reply to graphicequaliser.

      November 16, 2015 at 10:20 am #

      Just tried http://www.touchnote.com/users/signin in a browser.
      It 302 redirected me to https://www.touchnote.com/users/signin

      Is that not Ok?

Leave a Reply