More than 50,000 customer card numbers, some credit card numbers, hundreds of customer email addresses, and hundreds of what appear to be incorrectly typed passwords have been exposed by the movie ticket subscription service MoviePass according to a new report.
In its report on the exposed database, TechCrunch says that the database had no password protection, that none of the records were encrypted, and that the database was discovered on one of MoviePass’s subdomains by Mossab Hussein, a researcher at the cybersecurity firm SpiderSilk.
The exposed database reportedly contained a total of 161 million records and was growing in real-time. The report adds that many of the records were computer-generated logging records that helped to ensure the running of the service. However, thousands of the records are also said to have contained sensitive information from MoviePass customers which included:
- 58,000 records containing MoviePass customer card data (these cards are similar to regular debit cards and used by MoviePass customers to pay to watch movies)
- Some records containing personal credit card details
- Hundreds of records containing customer email addresses and what seem to be incorrectly typed passwords
TechCrunch says that it reviewed 1,000 records from the database and over half of these records contained the following MoviePass customer card data:
- The card number
- The card expiry date
- The card balance
- The date the card was activated
Some records reportedly contained the following personal credit card details:
- The card number
- The card expiry date
- The customer’s name
- The customer’s postal address
The report also says that a number of the records contained enough information to make fraudulent purchases.
TechCrunch adds that it tested logging into the MoviePass app using a dummy email address and password and that these dummy details were added to the exposed database almost immediately.
Hussein reportedly contacted MoviePass chief executive Mitch Lowe over the weekend and did not hear back. TechCrunch says it has seen Hussein’s email to Lowe and that MoviePass only took the exposed database offline today after TechCrunch reached out.
According to cyberthreat intelligence firm RiskIQ, this database could have been exposed for months with its systems first detecting it in late June.
The announcement of these exposed records follows MoviePass being accused of changing paying users’ passwords to encourage them to use the service less earlier this month. This decision was reportedly made because the company couldn’t sustain its low subscription fees and wanted to find a solution to offset the costs.
It also follows a wider pattern of mass data breaches in 2019 with mid-year data indicating that this year is on track to become the worst year on record for data breach activity. So far this year, there have been over 3,800 publicly disclosed data breaches which have exposed a total of 4.1 billion records.