Movie ticket subscription service MoviePass is the latest company to suffer a data breach after tens of thousands of customer card numbers and personal credit cards were left unsecured on a server that was not password protected.
The exposed database was discovered by SpiderSilk security researcher Mossab Hussein who found it on one of the company’s many subdomains. The database itself is massive and contains over 161m records including some pertaining to the service’s daily operations as well as sensitive user information such as MoviePass customer card numbers.
MoviePass issues cards to its customers that are similar to normal debit cards and are issued by MasterCard. These cards contain a cash balance and the company deposits funds onto them which customers then use to pay to see movies.
When reviewing the records stored in the exposed database, TechCrunch also found information regarding MoviePass customers’ personal credit card numbers including their expiry date as well as billing information such as names and postal addresses. However, some of the records contained card numbers where only the last four digits were visible.
After discovering the exposed database, Hussein reached out to MoviePass’ chief executive Mitch Lowe to inform him of the matter but he did not hear back. The database was finally taken offline after TechCrunch reached out to the company.
Hussein was able to find MoviePass’ exposed database by using SpiderSilk’s own web mapping tools which search for non-password protected databases which are connected to the internet and identify their owners. This information is then disclosed to companies privately, often in exchange for a bug bounty.
According to the cyberthreat intelligence firm RiskIQ, the database may have been exposed for months as the company first detected the unsecured server in June.
MoviePass has yet to publicly acknowledge the breach and this lapse in security will likely do little to help the company as it struggles to gain more customers after growing far too fast. The company has also faced scrutiny recently after it reportedly changed the passwords of users who use its service extensively to prevent them from seeing more films.