MoviePass Left Tens Of Thousands Of Credit Card Numbers Exposed Online

from the whoops-a-daisy dept

MoviePass initially seemed like it might be a plausible idea, though recently the outfit has been exposed for being terrible at this whole business thing. The service initially let movie buffs pay $30 a month in exchange for unlimited movie tickets at participating theaters, provided they signed up for a full year of service. But recent reports have made it clear company leaders had absolutely no idea what they were doing, the service was routinely hemorrhaging cash (particularly after an unsustainable price drop to $10), and execs even tried to change user passwords to prevent users from actually using the service.

Apparently, the outfit wasn't too hot at this whole internet security thing, either.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently discovered that the company had left tens of thousands of user credit card numbers exposed to the internet. An exposed database on one of the company's subdomains resulted in 161 million records on various types being exposed (a number, if precedent holds, that could grow even larger). And while much of this data was not sensitive, a good chunk of it was:

"We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated.

The database had more than 58,000 records containing card data — and was growing by the minute."

Some customer names and addresses were also exposed to the internet. The data also included logs of failed login attempts, as well as subscriber email addresses. None of the records in the exposed database had been encrypted. The data had been exposed for months, and like so many companies, MoviePass didn't appear to be in much of a rush to address the problem:

"The database was exposed for months. Yonathan Klijnsma, threat researcher at cyberthreat intelligence firm RiskIQ, found evidence that the database was open from early May. Then, after we published this story, security researcher Nitish Shah told TechCrunch he also found the exposed database months earlier. “I even notified them, but they [didn’t bother] to reply or fix it,” he said. He provided a screenshot of the exposed database for proof, which we verified."

With the number of companies that have been embarrassed for leaving sensitive customer data exposed to the internet, you'd think we'd be seeing fewer of these kinds of scandals as companies work to audit and secure their systems. Yet we seem to be seeing more of these breaches (especially private data left exposed in unprotected Amazon cloud buckets) each and every month.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breaches, credit cards, data breaches
Companies: moviepass

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Anonymous Coward, 6 Sep 2019 @ 1:48pm

    But recent reports have made it clear company leaders had absolutely no idea what they were doing

    The BusinessInsider story linked from that article is paywalled, so it's hard to tell what you're basing this opinion on. It sounds like they were trying to defraud investors and customers. Given that they got salaries for years and haven't been charged with a crime or sued, I'm not so sure they were clueless.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat

Warning: include(/home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ failed to open stream: No such file or directory in /home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ on line 8

Warning: include(): Failed opening '/home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/' for inclusion (include_path='.:/usr/share/pear:/home/beta6/deploy/itasca_20201215-3691-c395:/home/beta6/deploy/itasca_20201215-3691-c395/..') in /home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ on line 8
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.