INSUBCONTINENT EXCLUSIVE:
Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a
critical server was not protected with a password.Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found
The database was massive, containing 161 million records at the time of writing and growing in real time
issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of
For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for
the movie at the cinema.We reviewed a sample of 1,000 records and removed the duplicates
A little over half contained unique MoviePass debit card numbers
Among the records we reviewed, we found records with enough information to make fraudulent card purchases.Some records, however, contained
card numbers that had been masked except for the last four digits.The database also contained email address and some password data related
Our dummy email address and password appeared in the database almost immediately.None of the records in the database were encrypted.Hussain
exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.We
exposed and its plans to disclose the incident to customers and state regulators
When reached, a spokesperson did not comment by our deadline.MoviePass has been on a roller coaster since it hit mainstream audiences last
The company quickly grew its customer base from 1.5 million to 2 million customers in less than a month
But MoviePass took a tumble after critics said it grew too fast, forcing the company to cease operating briefly after the company ran out of
numbers went from three million subscribers to about 225,000
And just this month MoviePass reportedly changed user passwords to hobble access for customers who use the service extensively.Hussein said
exposed database using his company-built web mapping tools, which peeks into non-password protected databases that are connected to the
internet, and identifies the owner
The information is privately disclosed to companies, often in exchange for a bug bounty.Hussein has a history of finding exposed databases
He also found an exposed backend database belonging to Blind, an anonymity-driven workplace social network, exposing private user data.Read
