April 29, 2021
MoviePass, the subscription-based movie ticketing service that has gone through a series of financial problems, controversy, and fierce criticism has just blundered hugely by exposing the credit card information of tens of thousands of its customers. The problem was an unprotected server that everyone could access, and security researcher Mossab Hussein did exactly that. What the SpiderSilk employee found in the database was a set of 161 million records, many of which were computer-generated logging messages that are needed for the operation of the service. In the set, however, there were also entries of sensitive user information including credit and debit card numbers, their expiration dates, and the balance on the moment of the MoviePass subscription activation.
TechCrunch got the chance to test out the report, figuring that the database was live, and so the number of the entries was growing with time. Until yesterday, the number of exposed credit card numbers was approximately 58000. The worrying part is that most of these records are accompanied by the holder’s names and the postal address of the owner, while the majority of the entries featured unmasked digits and thus were readable. It goes without saying that there was no encryption involved.
The researcher tried to contact MoviePass by sending a notification but he was ignored. TechCrunch succeeded to reach out to the database admin on Tuesday, so it was finally taken offline yesterday. How long the database remained exposed for is unknown, but according to RiskIQ, it was definitely accessible since late June. Until now, MoviePass has not published any clarifying statements about the security incident. However, it is clear that they were not handling their customers' sensitive data responsibly, as they should have been encrypting the records no matter what errors were made in the securing of the server.
MoviePass was already in a very tight position, not being able to handle the growing number of subscribers to their service and finding very dubious solutions to deal with their problems. They have repeatedly failed to offer the promised services to their customers, caused confusion and rage with extended outages, and even resetting the passwords of those who are using their services extensively to obstruct them from logging onto the platform. Already, there are reports about the company losing millions each month, so this latest news isn’t helping them to escape the quicksand pit they have been crawling in for quite some time now.