A bug on Moonpig’s API has potentially exposed personal data and partial credit card information of the greeting card firm’s 3.6 million customers, according to the developer Paul Price.
Writing on his blog, he said hackers could exploit the flaw by simply changing the ID number in an API request, adding that the firm had failed to fix the problem despite him reporting it to them back in August 2013.
"I’ve seen some half-arsed security measures in my time but this just takes the biscuit," he said.
"Initially I was going to wait until they fixed their live endpoints but given the timeframes I’ve decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this)."
He claimed that hackers could "easily place orders" through other accounts, retrieve card information, or view saved addresses and orders, all without having to authenticate.
Moonpig appeared to have shut down the exposed APIs in the wake of his post on Monday, but had yet to respond to requests for comment from CBR.
"[Roughly] 17 months is more than enough time to fix an issue like this," he added. "It appears customer privacy is not a priority to Moonpig."
A spokesperson from British data regulator the Information Commissioner’s Office said: "We are aware of the incident at Moonpig.com and are looking into the details."