MoviePass Left Tens Of Thousands Of Credit Card Numbers Exposed Online
from the whoops-a-daisy dept
MoviePass initially seemed like it might be a plausible idea, though recently the outfit has been exposed for being terrible at this whole business thing. The service initially let movie buffs pay $30 a month in exchange for unlimited movie tickets at participating theaters, provided they signed up for a full year of service. But recent reports have made it clear company leaders had absolutely no idea what they were doing, the service was routinely hemorrhaging cash (particularly after an unsustainable price drop to $10), and execs even tried to change user passwords to prevent users from actually using the service.
Apparently, the outfit wasn’t too hot at this whole internet security thing, either.
Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently discovered that the company had left tens of thousands of user credit card numbers exposed to the internet. An exposed database on one of the company’s subdomains resulted in 161 million records on various types being exposed (a number, if precedent holds, that could grow even larger). And while much of this data was not sensitive, a good chunk of it was:
“We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated.
The database had more than 58,000 records containing card data — and was growing by the minute.”
Some customer names and addresses were also exposed to the internet. The data also included logs of failed login attempts, as well as subscriber email addresses. None of the records in the exposed database had been encrypted. The data had been exposed for months, and like so many companies, MoviePass didn’t appear to be in much of a rush to address the problem:
“The database was exposed for months. Yonathan Klijnsma, threat researcher at cyberthreat intelligence firm RiskIQ, found evidence that the database was open from early May. Then, after we published this story, security researcher Nitish Shah told TechCrunch he also found the exposed database months earlier. “I even notified them, but they [didn’t bother] to reply or fix it,” he said. He provided a screenshot of the exposed database for proof, which we verified.”
With the number of companies that have been embarrassed for leaving sensitive customer data exposed to the internet, you’d think we’d be seeing fewer of these kinds of scandals as companies work to audit and secure their systems. Yet we seem to be seeing more of these breaches (especially private data left exposed in unprotected Amazon cloud buckets) each and every month.