The US cinema subscription service MoviePass left a database of customer information online and unencrypted for months according to a
TechCrunch report. It claims there was tens of thousands of customer card numbers and names exposed, with many showing enough information for anyone to make fraudulent credit card purchases.
A Dubai-based security researcher Mossab Hussein came across a subdomain of MoviePass where the database was hosted. The database held 161 million records when uncovered, some of which included the sensitive information.
The card information was both credit card numbers and MoviePass card numbers. The MoviePass cards are MasterCards with balance loaded on that customers then use to go to see a film at the cinema. It’s pretty antiquated – much like MoviePass’s security measures.
TechCrunch, who saw the database, said 58,000 records contained card numbers. While some credit card numbers had some of the numbers masked, there were several records that it found where someone could easy make purchases, all from a database completely unencrypted and hosted online.
TechCrunch also reported that Hussein emailed the CEO of MoviePass Mitch Lowe to explain his findings, as did another threat researcher. After publication, a third person contacted the outlet to say they had notified the company of the exposure ‘months earlier’, but had received no reply, and the hole was not plugged.
“MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement,” said Lowe in a long-overdue statement.
This is just the latest in several years of high-profile data leaks from companies that don’t have adequate encryption and security measures. Famously the infidelity match up site Ashley Maddison was exposed in 2015, leading to the leaking of thousands of members’ names.