Moonpig apps unavailable as it confirms security flaw

 
Emma Haslett
Follow Emma
The company said its apps will be down while it investigates the flaw (Source: Moonpig)

Moonpig has confirmed it's "investigating" a vulnerability in its code which means personal details of three million customers may have been exposed for almost a year and a half.

The company said many of its apps would be "unavailable for a time" while it looked into a blog posted yesterday warning that hackers could easily access details, including credit card info and past orders - as well as allowing them to place new ones.

The fiercely critical blog was posted by developer Paul Price, who said he had originally warned Photobox, which owns Moonpig, back in August 2013. After 18 months of no action from Moonpig, he decided to go public. Here's a sample from his scathing blog:

I've seen some half-arsed security messures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded.
This morning, Moonpig said:
We are aware of the claims made this morning regarding the security of customer data within our apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our apps will be unavailable for a time while we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.
Moonpig is the latest in a long line of companies to have security flaws exposed. Last year hackers exploited a weakness in Apple's iCloud software to access thousands of photos of celebrities, posting nude pictures of Hunger Games actress Jennifer Lawrence and other celebrities online.
In December 2013, hackers stole details from millions of Target customers in a meticulously planned attack. The chain came in for criticism after it took several days to respond to the breach.

Related articles