Moonpig API Exposes Customer Info
Security researcher Paul Price discovered a flaw in the API used by UK greeting card company Moonpig. Their API does not require authentication and exposes customer account details. He notified them of his findings in August 2013. After 17 months, Price publicly disclosed the vulnerability.
Moonpig tweeted that customer passwords and payment have always been secure; however, customers quickly noticed that they did not mention other personal account details. In the meantime, Moonpig has disabled their apps and posted a brief message to their customers.