Three million Moonpig accounts exposed by flaw

Darren Pauli reports:

Custom mugs and tat outfit Moonpig has a signficant flaw that exposes personal records and partial credit card details for some three million customer (sic), almost 18 months after it was reported.

The failure, discovered and privately reported by developer Paul Price, meant every account and the names, birth dates, and email and street addresses could be accessed by changing the customer identification number sent in an API request.

Orders could be placed under any account. Credit card expiry dates and last four digits could be plucked out using a handy insecure API.

Read more on The Register.

Update: On Twitter, MoonpigUK tweeted:

We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.

— Moonpig (@MoonpigUK) January 6, 2015

Their tweet was met with skepticism and derision.

The 4TB time bomb: when EY's cloud went public (and what it taught us)
China Amends Cybersecurity Law and Incident Reporting Regime to Address AI and Infrastructure Risks
Alan Turing institute launches new mission to protect UK from cyber-attacks
Safaricom-Backed M-TIBA Victim of a Possible Data Breach Affecting Millions of Kenyans
How a hacking gang held Italy’s political elites to ransom
Predatory Sparrow Strikes: Coordinated Cyberattacks Seek to Cripple Iran's Critical Infrastructure

Related: