Darren Pauli reports:
Custom mugs and tat outfit Moonpig has a signficant flaw that exposes personal records and partial credit card details for some three million customer (sic), almost 18 months after it was reported.
The failure, discovered and privately reported by developer Paul Price, meant every account and the names, birth dates, and email and street addresses could be accessed by changing the customer identification number sent in an API request.
Orders could be placed under any account. Credit card expiry dates and last four digits could be plucked out using a handy insecure API.
Read more on The Register.
Update: On Twitter, MoonpigUK tweeted:
We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.
— Moonpig (@MoonpigUK) January 6, 2015
Their tweet was met with skepticism and derision.