Moonpig shuts down mobile apps after 3m accounts exposed

Moonpig, the service that lets you send personalised greetings cards, has shut down its mobile apps after uncovering a security flaw.

The vulnerability means that every single account – that amounts to around 3 million – has been at risk of exposure to hackers.

The flaw exposed all information like users’ full names, dates of birth, e-mail addresses, home addresses, as well as expiry dates and the last four digits of credit and debit cards.

A spokesperson from Moonpig got back to us about the issues, and said the following: “We are aware of the claims made this morning rgarding the security of customer data within our apps. We can assure our customers that all password and payment information is and has always been safe.”

“The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.”

“As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”

Paul Price, an app developer, was behind the discovery, and wrote in a blog post: “I’ve seen some half-arsed security measures in my time but this just takes the biscuit.”

Whoever architected this system needs to be waterboarded,” continued Price. “There’s no authentication at all and you can pass in any customer ID to impersonate them.”

He added: “An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more.”

Related: Sony CEO Kazuo Hirai calls Sony Pictures hack a ‘vicious cyber attack’

Price alleges he warned Moonpig about the exploit initially back on August 18 2013, but by September 2014 the vulnerability still hadn’t been fixed.

He then contacted Moonpig again, only to be told that the flaw would be patched ‘after Christmas’.

17 months is more than enough time to fix an issue like this,” said price. “It appears customer privacy is not a priority to Moonpig.”

More from TrustedReviews

LG Q8 finally brings the V20’s promise to Europe

Atari is now in the speaker business… and the hat business

Thinner Moto Z2 Force could come with a huge trade-off

HyperLoop One

Elon Musk’s Hyperloop gathering pace as NY-DC link gets ‘OK’


Is this proof an N64 Classic will follow the SNES?

Agents of Mayhem preview

cats 17

Why you’ll want to download this OnePlus 5 update today

Golf rory

British Open Golf Live Stream: How to watch online for free

Call of Duty: Infinite Warfare for Xbox One down to under £9

Samsung Gear S3 finally gets Samsung Pay support in UK

Welcome to the all new Trusted Reviews

Netgear Arlo

Netgear Arlo Pro

Cat Amazon

Are you kitten me? Pet translation devices tipped for future smart homes

fire emblem warriors

Fire Emblem Warriors


Pokkén Tournament DX

TP-Link Smart Wi-Fi LED Bulb 5

TP-Link Smart Wi-Fi LED Bulb

Samsung Pay

Samsung Pay now lets you use your PayPal funds at the checkout

assassins creed origins

Ubisoft teases new games for Nintendo Switch, coming ‘quite soon’

amazon echo

Ask Vodafone: Mobile network’s first Amazon Alexa voice skill is revealed

Google Feed

The Google app’s new personalised feed might just drag you off Facebook

z2play 9

Moto Z2 Play

Mira Prism

For just $99 you can bring AR to the iPhone 7

Samsung Galaxy S8

Samsung Galaxy S9 displays may be the same, save one major new feature

movie theatre

The Netflix Effect: ‘Binge-watching’ is coming to movie theatres

Porsche MIssion E

Porsche’s latest electric car chargers put Tesla to shame

EE logo

EE’s new 20GB SIM-free deal is the best value tariff you’ll see all summer


These are the first images from the ISS – as captured by a zero-gravity drone

iMac 21.5-inch 4K (2017)

LG V30 case

LG V30 design ‘confirmed’ ahead of IFA 2017 launch

iPhone 7 vs iPhone SE

Waiting for the iPhone SE 2? Sadly, it could be a one-and-done

Google Glass Enterprise

Google Glass 2 has arrived, sort of

Denon AH-C621R

Denon AH-C621R

BBC Proms

Get ready to listen to the BBC Proms like never before

Fender Newport Monterey Bluetooth speakers

Fender’s new Bluetooth speakers look just like tiny guitar amps

Garmin Vivosmart 3

Garmin Vivosmart 3


Is the laptop travel ban dead? Electronics restrictions lifted by TSA but UK fails to follow suit

KitSound Immerse

KitSound Immerse Wireless Headphones


It’s World Emoji Day and Apple is showing off all of its newcomers

Porn Block

Privacy fears as UK plans age verification for porn sites


New WhatsApp feature could give Apple’s iMessage a run for its money