Moonpig shuts down mobile apps after 3m accounts exposed

Moonpig, the service that lets you send personalised greetings cards, has shut down its mobile apps after uncovering a security flaw.

The vulnerability means that every single account – that amounts to around 3 million – has been at risk of exposure to hackers.

The flaw exposed all information like users’ full names, dates of birth, e-mail addresses, home addresses, as well as expiry dates and the last four digits of credit and debit cards.

A spokesperson from Moonpig got back to us about the issues, and said the following: “We are aware of the claims made this morning rgarding the security of customer data within our apps. We can assure our customers that all password and payment information is and has always been safe.”

“The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.”

“As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”

Paul Price, an app developer, was behind the discovery, and wrote in a blog post: “I’ve seen some half-arsed security measures in my time but this just takes the biscuit.”

“Whoever architected this system needs to be waterboarded,” continued Price. “There’s no authentication at all and you can pass in any customer ID to impersonate them.”

He added: “An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more.”

Related: Sony CEO Kazuo Hirai calls Sony Pictures hack a ‘vicious cyber attack’

Price alleges he warned Moonpig about the exploit initially back on August 18 2013, but by September 2014 the vulnerability still hadn’t been fixed.

He then contacted Moonpig again, only to be told that the flaw would be patched ‘after Christmas’.

“17 months is more than enough time to fix an issue like this,” said price. “It appears customer privacy is not a priority to Moonpig.”