MoviePass left customers’ credit card numbers exposed on unprotected server

MoviePass, the cinema subscription service that’s gone from “This is too good to be true” to “What is even going on I’m so tired” in a series of reinventions, has had another setback. 

The company left thousands of customer card details, and tens of thousands of customers’ credit card details, visible on a server that was not password protected, according to a security research firm. 

The database, which a reporter from TechCrunch observed “growing in real time,” contained more than 161 million records and counting, ranging from logging details generated in the course of a normal running day to unencrypted user details. Credit or debit card details were available, too, including card numbers, expiration dates, cardholder names, and billing addresses in plaintext.

MoviePass customer cards are basically MasterCard-issued debit cards; customers pay the monthly fee, and the service loads up the cards with the price of a movie ticket when a screening is booked, so subscribers can then buy them at the box office with the card.

(A MoviePass card could technically be used to make any debit purchase, users theorise, although it would get the account holder banned pretty swiftly.)

The breach was detected by systems developed by Dubai-based firm spiderSilk, and confirmed manually by the firm’s security team before they notified MoviePass, which did not respond. 

Security researcher Mossab Hussein told Mashable while his team can’t tell for sure whether the database had been accessed by other parties, they estimate the number of credit cards that could be exposed in the dataset runs into the tens of thousands, in addition to around 50,000 MoviePass cards.

“Simple best practices should have prevented any of this from happening in the first place,” Hussein said. “But we see a lot of companies not worrying as much as they should, when it comes to ‘internal tools’ and ‘internal logging.’ And they justify this by saying something along the lines [of] ‘Oh, it’s only for internal use and analysis.'”

Mashable has contacted MoviePass’s parent company Helios + Matheson for comment on the exposure, including the reasons why the database was only taken offline after TechCrunch notified them of the issue and not when Hussein reached out over the weekend.

“We’ve seen companies that took 30 days to acknowledge a finding, and we’ve also seen companies that acknowledged and patched a finding within 60 minutes,” Hussein said. “But our position has always been very strict about this topic. Companies panic and respond in seconds if their apps are down … they should treat the safety of their customer data just the same.”