Skip to content

The Moonpig Bug: How 3,000,000 Customers' Details Were Exposed

Updated: at 03:59 PM

Some idiot thought that instead of OAuth tokens or the like, “let’s use the integer user id as proof that the user logged in ok”

It’s been all over the British news today: developer Paul Price found a bug in photo-crap-maker Moonpig’s site, one that might have exposed three million users’ personal information. Paul’s got a great technical post about it at — but there’s no decent non-techie explanation except for the one-paragraph summaries in newspapers. It was a perfect storm of tech incompetence: here’s how to avoid doing it yourself.

Watch Tom Scott’s video at