Online greetings card company Moonpig has been accused of ignoring for over a year a security issue that exposed the names, dates of birth, email and home addresses of the company's 3.6 million customers.
Moonpig enables you to order greetings cards and personalised gifts online. The company was founded in the UK in 2000 and now serves the US and Australia too, having been bought by Photobox in 2011. Developer Paul Price revealed a massive security vulnerability in Moonpig's API this week, but before blowing the whistle Price claims to have contacted Moonpig about the problem way back in August 2013 -- and yet the company did nothing for 17 months. The vulnerability is likely to have been open to attack for even longer.
"I've seen some half-arsed security measures in my time," wrote Price, "but this just takes the biscuit. Whoever architected this system needs to be waterboarded."
Moonpig appears to have taken the API offline. But despite trending on Twitter the company is yet to publicly acknowledge the problem -- at the time of writing, Moonpig UK's last tweet saw the social media team turning their phones to silent to watch "Broadchurch".
"We are aware of the claims made this morning regarding the security of customer data within our apps," a Moonpig representative told us in a statement. "We can assure our customers that all password and payment information is and has always been safe.
"The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."
According to Price, the vulnerability allowed a ne'er-do-well to access a customer ID number by sending in an API request, which did not require authentication. API calls were not rate-limited, so a determined hacker could simply work their way through different combinations until they hit each customer ID. As well as accessing contact details, they could see the last four digits of a saved credit card and place orders on someone else's card.
Unfortunately, protecting yourself isn't as simple as changing a password. "If bad guys accessed your data from Moonpig's systems, as they apparently could have done for the last 17 months at least -- but probably for longer -- then they've already got your contact details, email etc", says security expert Graham Cluley. "Those aren't things you can or are likely to want to change."
At this stage it's unclear whether hackers have exploited the vulnerability. But as Graham Cluley points out, "Moonpig has some tough questions to answer as to why it didn't take the security issue more seriously when it was first told about it back in 2013."
Update, 3pm GMT: Added statement from Moonpig.