Thousands of personal credit-card numbers and customer card information belonging to the popular movie-ticket subscription service, MoviePass was found unprotected in a critical server database. The exposed online database was left without any password protection or data encryption. The exposed records consisted of more than 160 million personal credit card details and more than 50,000 MoviePass customers' card numbers, which are used to store cash balances.
Who discovered the exposed database?
According to a TechCrunch report, security researcher Mossab Hussein of Dubai-based SpiderSilk discovered that the database on a MoviePass subdomain containing some 161 million records was left exposed on the internet.
TechCrunch also pointed out in its report that, “It’s understood that the database may have been exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.”
What records were exposed?
Out of the identified records, more than half of the MoviePass customer card numbers were unique. The records revealed details such as debit card numbers, expiry date, customer card balance, and their card activation date. Researchers also said that more than 58,000 records contained customer card data and the customer count was growing by every minute.
Security researchers from TechCrunch pointed out that these MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalogue of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.
Additionally, researchers also found personal credit card information from customers. Details such as expiry date, billing information, names and postal address relating to the personal credit cards were also found unprotected. The database also contained email addresses, incorrectly typed passwords and records of failed login attempts, all in plaintext format.
“None of the records in the database were encrypted,” pointed out the TechCrunch report.
Did MoviePass respond?
Hussian contacted the chief executive of MoviePass, Mitch Lowe, via a private email which was verified by the TechCrunch team. According to TechCrunch, Hussian ask several other questions including why the database was left unprotected and their plan of disclosing the incident to state data breach regulators. But the MoviePass team did not respond to any of these questions. Later, Hussian went public with the findings since there was no response from MoviePass. He told TechCrunch, “The company was negligent in leaving data unencrypted in an exposed, accessible database.”
“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussein told TechCrunch. “In the case of MoviePass incident, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext—let alone the fact that the data set was exposed for public access by anyone.”