Skip to main content

Moonpig slammed for "half-arsed security measures" that left data exposed

Moonpig, the online greetings card company, has been accused of ignoring a huge security flaw for over a year and a half.

The security flaw exposes private information, including the names, dates of birth, email and home addresses of some 3.6 million customers, writes cNet.

In his blog, developer Paul Price wrote how he found out about the flaw Moonpig had, and contacted them back in August 2013.

“18th Aug '13 - (yes, 2013!) Initial contact made with vendor. After a few e-mails back and fourth their reasoning was legacy code and they'll "get right on it”, wrote Price in his blog.

"I've seen some half-arsed security messures in my time," wrote Price, "but this just takes the biscuit. Whoever architected this system needs to be waterboarded."

"We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe”, wrote Moonpig in an answer to a Cnet inquiry.

"The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

Price wrote that in order to get a customer ID, a hacker could simply send the API a request, and given that the number of requests is not limited, he could just keep on trying until he succeeded.

Malware intelligence analyst at Malwarebytes, Chris Boyd, says that Moonpig’s slow reaction could cost them more than the security flaw itself: "I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix.

"At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain. Issues such as these can prove very costly to companies, and now the Information Commissioner’s Office is looking at the details the fallout could be severe."