Moonpig, a customizable greeting card company, had 3 million customers' personal information exposed after a developer detailed a security vulnerability online.
Paul Price explained on his blog the flaw in the application programming interface (API) could allow attackers to view and impersonate users' customer IDs to place orders, add and retrieve card information, and view saved addresses and orders, among other options.
Price first told Moonpig about the vulnerability in August 2013, but after nearly 18 months, and repeated attempts at contact, he went public with his findings.
“Initially I was going to wait until they fixed their live endpoints but given the timeframes I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers,” Price wrote.
The greeting card company suspended access to its mobile apps following news of the vulnerability.