Touchnote, an online service that lets users send digital photographs as physical postcards, has been hacked.
Registered users received a notification email this week alerting them that their names, email addresses and order history had been accessed, and urging them to reset their passwords.
“On 4th November 2015 we received information confirming that Touchnote has been the victim of criminal activity, resulting in the theft of some of our customer data,” the company noted, adding that it would push out additional updates via its Twitter feed.
Touchnote does not store full credit/debit card numbers, expiry dates or security codes (only the last four digits of the card number were revealed). But while credit-card information isn’t at risk, in this case, criminals could use the information to open bogus accounts, or sell the information for use in more targeted, larger-scale spear phishing or identity theft attacks.
It also added that “We encrypt all passwords and never store them in plain format. For example, if your password was ‘hello’ it will have appeared in our database as a random combination of letters and digits.”
According to the BBC, the company isn’t sure yet how many customers had been affected, but, about 4 million postcards are believed to have been sent via the app since it was launched in 2008; and, the app is pre-installed on millions of Android handsets.
Mark Bower, global director of product management for HPE Security – Data Security told us that securing customer data obtained by mobile apps is no different than securing other data—with the available technologies today to easily and quickly protect sensitive data, it's a proven, reliable way to also protect customer trust and satisfaction.
“There's simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion,” he said. “The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.”
Only identity information rather than passwords and payment card information was stolen in the attack, it said, which was first discovered on 4 November.
The UK's National Cyber Crime Unit is helping with the investigation.