MoviePass left thousands of user card numbers exposed in unprotected database

MoviePass, a subscription-only move ticket service, exposed tens of thousands of its users’ credit card information due to insufficient security of a server, TechCrunch reports. The exposed database, discovered by cybersecurity company SpiderSilk, reportedly contained 161 million records, many of which included credit card numbers and other private information. TechCrunch explains:

“These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.”

The tech publication examined a sample of 1,000 of the aforementioned records and found that more than half showed MoviePass debit card numbers, expiration dates, account balances and the time of activation. Also contained in the records were personal credit card numbers, including expiration date and billing information (names and addresses).

MoviePass has since closed the database, which was accessible for months. TechCruch says it reached out to MoviePass with a number of specific questions but that the company’s only response was the following generic statement:

“MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.”

SpiderSilk’s Mossab Hussein, the researcher who first discovered the vulnerable database, told TechCrunch that there is no excuse for MoviePass’ negligence in this scenario, which is one we keep seeing played out over and over again across the digital world.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” he said. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext—let alone the fact that the data set was exposed for public access by anyone.”