A U.K. developer has reported that Moonpig, a U.K.-based personalized greeting card, mug, T-shirt and wall art business, has exposed personal data from over 3 million customer accounts because of an API flaw. The flaw was originally reported privately in August 2013. After a follow-up in September 2014, Moonpig promised a fix by Christmas 2014. Now, nearly 18 months after the initial report, the developer has decided to go public with details on the vulnerability.
For starters, the Moonpig API lacks proper authentication, according to the developer. Hackers are free to impersonate customer accounts, add/retrieve credit card information, view saved addresses, review orders and more. From the help docs, it appears that the API supports OAuth 2.0, which would remedy some of the vulnerability; however, no authentication method is being enforced.
Moonpig responded to the report via Twitter. @MoonpigUK tweeted: "We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe."
Reports indicate that Moonpig has not responded directly to customer complaints, but the API has been shut for the time being. Because account closure requires a phone call to Moonpig, social media sites remain abuzz with customer requests for Moonpig to scramble personal data. Moonpig reported that its apps will be unavailable while it investigates the situation. Visit the Moonpig newsroom for updates.