Movie ticket subscription service MoviePass inadvertently exposed thousands of customer card numbers due to lax security on a critical server.
Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company’s many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service but many also included sensitive user information, such as MoviePass customer card numbers.
MoviePass issues debit cards to its subscribers which it loads with funds used to pay for admission at your local theater.
In total, Hussein said more than 58,000 records in the database contained card data. TechCrunch also found personal credit card numbers, expiration dates and billing information including names and addresses as well as e-mail addresses and logs of failed password attempts. “We found records with enough information to make fraudulent card purchases,” the publication said.
Hussein attempted to contact MoviePass CEO Mitch Lowe over the weekend regarding the matter but didn’t get anywhere. It was only on Tuesday after TechCrunch reached out that MoviePass took the database offline.
