South Africa’s oldest online gifting retailer, NetFlorist, has been hit by a critical security vulnerability that exposed sensitive customer information online.
According to a report by MyBroadband, unsecured API endpoints on the platform allowed access to private user information, including full names, usernames, email addresses, cellphone numbers, genders, and physical addresses.
The flaw reportedly stemmed from API endpoints using sequential numerical IDs, making it possible for anyone to scrape customer information simply by increasing the identifier number.
Customer and recipient data exposed
The vulnerability extended beyond registered users, with address book data also reportedly accessible. This means personal details belonging to gift recipients — many of whom may never have signed up with Netflorist — could also be viewed online.
Cybersecurity experts have warned that exposed personal information can be used in targeted phishing and fraud attacks, commonly known as spear phishing.
The report cited Visa and Discovery Bank’s SpendTrend26 South African Consumer Survey, which found that 41% of respondents experienced phishing attempts through email or SMS during 2025.
Netflorist reportedly alerted before publication
MyBroadband said it was first alerted to the issue by a Netflorist customer who allegedly discovered the vulnerable API endpoints and disclosed the matter to the company on 30 April.
Netflorist managing director Ryan Bacher reportedly said the company took the report seriously but maintained there was no exploitable vulnerability in its systems.
Bacher told the publication that Netflorist’s security team had reviewed the issue and believed the endpoints were restricted and not accessible externally.
However, MyBroadband said it independently verified that the endpoints remained publicly accessible at the time of publication and that customer data could still be viewed.
POPIA complaint reportedly filed
The customer who identified the flaw has reportedly lodged a formal complaint with South Africa’s Information Regulator under the Protection of Personal Information Act (POPIA).
Bacher also reportedly said Netflorist’s security team planned to add “an extra layer of security” to the affected links by the end of next week, although he maintained there was no immediate threat.
At the time of publication, Netflorist had reportedly not confirmed whether it intended notifying the Information Regulator about the potential exposure of customer data.
Read about Netflorist
