Details of up to three million customers of popular online gift shop Moonpig are said to have been exposed by a flaw in the way its site handles API requests.
According to Paul Price, an independent developer, every account could be accessed simply by changing the customer identification number.
Details that could apparently be accessed were said to include names, birth dates, email and street addresses in addition to expiry dates and the last four digit of their credit cards.
Price claims to have disclosed the vulnerability privately to Moonpig back in August 2013. The company promised to solve it by September but failed to do it before Christmas.
The Register reports that it was still open as of this morning (although it appears to have now been closed).
Moonpig's PR said in a statement on the company's Twitter account that "We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe."
They have since blocked their mobile apps while undergoing "investigations", although desktop and mobile website access remains unaffected.