large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Moonpig shuts down mobile apps after 3m accounts exposed

Moonpig, the service that lets you send personalised greetings cards, has shut down its mobile apps after uncovering a security flaw.

The vulnerability means that every single account – that amounts to around 3 million – has been at risk of exposure to hackers.

The flaw exposed all information like users’ full names, dates of birth, e-mail addresses, home addresses, as well as expiry dates and the last four digits of credit and debit cards.

A spokesperson from Moonpig got back to us about the issues, and said the following: “We are aware of the claims made this morning rgarding the security of customer data within our apps. We can assure our customers that all password and payment information is and has always been safe.”

“The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.”

“As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”

Paul Price, an app developer, was behind the discovery, and wrote in a blog post: “I’ve seen some half-arsed security measures in my time but this just takes the biscuit.”

Whoever architected this system needs to be waterboarded,” continued Price. “There’s no authentication at all and you can pass in any customer ID to impersonate them.”

He added: “An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more.”

Related: Sony CEO Kazuo Hirai calls Sony Pictures hack a ‘vicious cyber attack’

Price alleges he warned Moonpig about the exploit initially back on August 18 2013, but by September 2014 the vulnerability still hadn’t been fixed.

He then contacted Moonpig again, only to be told that the flaw would be patched ‘after Christmas’.

17 months is more than enough time to fix an issue like this,” said price. “It appears customer privacy is not a priority to Moonpig.”

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.