MoviePass left customers' credit card numbers exposed on unprotected server
MoviePass, the cinema subscription service that's gone from "This is too good to be true" to "What is even going on I'm so tired" in a series of reinventions, has had another setback.
The company left thousands of customer card details, and tens of thousands of customers' credit card details, visible on a server that was not password protected, according to a security research firm.
The database, which a reporter from TechCrunch observed "growing in real time," contained more than 161 million records and counting, ranging from logging details generated in the course of a normal running day to unencrypted user details. Credit or debit card details were available, too, including card numbers, expiration dates, cardholder names, and billing addresses in plaintext.
MoviePass customer cards are basically MasterCard-issued debit cards; customers pay the monthly fee, and the service loads up the cards with the price of a movie ticket when a screening is booked, so subscribers can then buy them at the box office with the card.
(A MoviePass card could technically be used to make any debit purchase, users theorise, although it would get the account holder banned pretty swiftly.)
This Tweet is currently unavailable. It might be loading or has been removed.
The unprotected dataset was detected by systems developed by Dubai-based firm spiderSilk, and confirmed manually by the firm's security team before they notified MoviePass, which did not respond.
Security researcher Mossab Hussein told Mashable while his team can't tell for sure whether the database had been accessed by other parties, they estimate the number of credit cards that could be exposed in the dataset runs into the tens of thousands, in addition to around 50,000 MoviePass cards.
"Simple best practices should have prevented any of this from happening in the first place," Hussein said. "But we see a lot of companies not worrying as much as they should, when it comes to 'internal tools' and 'internal logging.' And they justify this by saying something along the lines [of] 'Oh, it's only for internal use and analysis.'"
Mashable has contacted MoviePass's parent company Helios + Matheson for comment on the exposure, including the reasons why the database was only taken offline after TechCrunch notified them of the issue and not when Hussein reached out over the weekend.
"We've seen companies that took 30 days to acknowledge a finding, and we've also seen companies that acknowledged and patched a finding within 60 minutes," Hussein said. "But our position has always been very strict about this topic. Companies panic and respond in seconds if their apps are down ... they should treat the safety of their customer data just the same."
Topics Cybersecurity
Caitlin is Mashable's Australian Editor. She has written for The Guardian, Junkee, and any number of plucky little music and culture publications that were run on the smell of an oily rag and have since been flushed off the Internet like a dead goldfish by their new owners. She also worked at Choice, Australia's consumer advocacy non-profit and magazine, and as such has surprisingly strong opinions about whitegoods. She enjoys big dumb action movies, big clever action movies, cult Canadian comedies set in small towns, Carly Rae Jepsen, The Replacements, smoky mezcal, revenge bedtime procrastination, and being left the hell alone when she's reading.
