Topcashback users logged in to wrong accounts after recurring security glitch
A security glitch at the cashback website Topcashback has caused hundreds of users to be 'partially' logged in to someone else's account over the past month, MoneySavingExpert.com can reveal – with usernames, shopping history via the website, earnings and some email addresses viewable.
Topcashback insists the problem has now been fixed and users' most sensitive information such as password and bank details were not compromised, as the bug meant users were only 'partially' rather than fully logged in.
The site also says any transactions made by users logged in to the wrong account should still result in cashback being credited to the correct account.
The website adds that it didn't proactively contact those affected to tell them about the security issue, but it's now in the process of doing so.
Here's the full lowdown on what happened and how users may have been affected – for more on how this sort of site works, see our Top Cashback Sites guide.
What exactly happened?
Topcashback says that it's aware users were logged in to the wrong accounts on four occasions within the past few weeks:
Fri 24 Feb: 2.19pm to 6.06pm
Fri 3 Mar: 9.36am to 12.04pm
Sat 4 Mar: 12.17pm to 3.24pm
Sat 4 Mar: 7.17pm to 8.49pm
In total 304 users logged in to the wrong account. The problem arose because a glitch meant users were allocated the same 'session ID', meaning when they entered their usual email and password they were 'partially' logged in to someone else's account.
Those who logged in to the wrong account were able to access the 'Account Overview', 'Earnings' and 'Dashboard' pages, and so see another user's recent shopping history via the website, earnings and username.
Sensitive details such as names, addresses and bank details were not revealed – Topcashback says all those affected by the glitch were only 'partially' logged in to the wrong account and so would have had to log in again to view the 'Payout' or 'My Profile' tabs which contain this information.
However, some users who logged in on 24 February or 3 March – Topcashback says it was fewer than 30 in total – may have also seen another user's email address if they clicked the 'Payout' or 'My Profile' tab, as the pop-up which asks for your log in details when you do this was auto-populated with the email address.
'I accessed three different accounts'
Jude, the MoneySaver and Topcashback user who first alerted us to the problem, told us she experienced it on 24 February.
She told us: "I accessed my Topcashback account to check how much I had earned and realised the figure was wrong. Then I noticed it wasn't my username.
"I had accessed another person's account. I could view their email address, earnings and merchants [companies she's earned cashback from via Topcashback]… I logged off and on again three times and each time accessed a different account."
TopCashback users were logged in to wrong accounts due to a recurring security glitch
Is my cashback safe?
Topcashback says as no one would have been able to reach the relevant pages where cashback is paid out from, existing cashback stored in your account should be safe.
What's more, even if you were logged in to the wrong account, didn't notice and went on to make a purchase, Topcashback says your cashback should still have tracked to your correct account. That's because it doesn't just track clicks through to retailers via the session ID, but also via other measures which it says weren't affected.
Could it happen again?
Topcashback says it's now identified the cause of the issue and "disabled the functionality".
A spokesperson said: "The longer-term solution is to find an appropriate replacement for the disabled functionality. We are confident the issue will not occur again and are working hard to ensure this is the case."
What does Topcashback say?
Andy Bayes, chief information officer at Topcashback, said: "We take security and the privacy of data very seriously and implement rigorous precautions to protect data in accordance with industry requirements. We believe no customer information or data was at risk other than a limited number of email addresses.
"We are in the process of informing all affected members and are working hard to answer any questions and concerns they may have."