Yahoo Finance 
Moonpig Shuts Down Mobile Apps Over Security Problem That Put 3 Million Customers At Risk
Flickr/Steffen Don't let this pig send birthday cards using your phone.
There's a big problem with Moonpig, the website that lets you send your friends and family personalised greeting cards. The company has turned off its mobile apps while it figures out the problem.
Security researcher Paul Price discovered that a flaw in Moonpig's apps can be used to find personal information about the site's customers.
Price looked at code sent from Moonpig's Android app to the main server. It can be easily manipulated to reveal information including addresses, names, dates of birth, credit card expiry dates and even the last four digits of credit card numbers.
Worryingly, it doesn't look like the vulnerability was fixed, even after Moonpig was notified of the problem in August 2013. Price says that he was told Moonpig would "get right on" fixing the code, but that never happened.
The Register is reporting that up to 3 million customers may have had their personal information leaked as part of the security vulnerability. There's no evidence that anyone has actually used the exploit to find the information of customers, but considering that the security flaw has been around since 2013, it's certainly possible.
It looks like Moonpig has shut off its API, however, meaning that people can't use it. Purchases have also been suspended through its iOS and Android app.
In a statement to Business Insider, Moonpig claimed that some user information was still secure:
We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.
More From Business Insider
