The personal records and partial credit card details for all the customers of online customised-products retailer Moonpig - some three million people - have been exposed for the past 18 months due to a flaw reported by developer Paul Price, but not acted upon until now.
Customer names, birth dates, email and street addresses could be accessed by changing the customer identification number sent in an API request and orders could be placed under any account according to a report in the Register.
Price was reported as saying: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architect this system needs to be waterboarded. Every API request is like this: there's no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add or retrieve card information, view saved addresses, view orders and much more."
Latest reports say that the exposed APIs have been shuttered, but complaints on social media have not been responded to.