Analysis of Moonpig's API suggests it's been possible to rip user details out from the site for the last 17 months, with security experts saying the site has been accessible and returning the expiry dates and last four digits of credit card details to anyone clever enough to ask.
A detailed look at Moonpig's API exposed what appears to be some pretty huge security holes, with Paul of Paul's Blog fame saying: "...there's no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."
Chris Boyd, Malware Intelligence Analyst at Malwarebytes said: "I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain. Issues such as these can prove very costly to companies, and now the Information Commissioner’s Office is looking at the details, the fallout could be severe."
For its part, Moonpig denies any data has been at risk, saying in a brief statement: "We can assure our customers that all password and payment information is and has always been safe."
More deserving of pity is Twitter user Leigh O'Riordan, who chose the account name @moonpig when registering for the site. He's currently fielding questions about security vulnerabilities from angry nerds. [The Register]