MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online

  /     /     /  
Publicated : 23/11/2024   Category : security


MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online


Thousands of customers credit card numbers, MoviePass card numbers, and sensitive data were left in an unprotected database.



MoviePass, a struggling film subscription service, has another problem on its plate: Security researchers discovered an unsecured company database exposing thousands of customers personal and payment information. The database has since been taken offline.
Compromised data includes names, email addresses, credit card numbers, expiration dates, billing information, and mailing addresses. Many exposed held MoviePass customer card numbers, which appear on subscribers payment cards. Members who pay a monthly fee can use these cards to pay to watch movies in theaters.
Mossab Hussein, a security researcher with security company SpiderSilk, found the exposed server on one of MoviePass subdomains, TechCrunch
reports
. The database held 161 million records and counting; 58,000 of those records contained payment card data. Hussein initially emailed MoviePass CEO Mitch Lowe, but when the executive didnt respond to his message, the researcher contacted TechCrunch. MoviePass took the server down after the publication reached out.
After working with Hussein to review sample datasets, TechCrunch reports exposed records contain sufficient information to commit credit card fraud. In a sample of 1,000 records, more than half had a MoviePass member card number, balance, and expiration. The server also contained records of failed login attempts. None of the data on the server was encrypted.
It has not been confirmed how long the data was exposed or whether any attackers attempted to access and abuse it. Leaving 58,000-plus records containing payment card data unencrypted on a publicly accessible database is concerning, says DivvyCloud CTO Chris DeRamus. However, the fact that MoviePass initially ignored the vulnerability when it was notified is even worse.  
This marks the latest in a series of debacles for MoviePass, which has faced customer losses and several internal problems after rapid growth last year. While its possible this growth caused MoviePass to overlook security, this type of careless mistake can lead to long-term problems.
When a company experiences a surge in popularity, they tend to quickly begin building software and expanding their ecosystem to focus on implementing new functionality and getting it to production, oftentimes while neglecting to consider security implications or needs, says Nabil Hannan, managing principal for financial services at Synopsys. 
Hannan says its very concerning to see MoviePass stored sensitive data in plaintext without a password.
Related Content:
7 Big Factors Putting Small Businesses At Risk
Apple Misstep Leaves iPhones Open to Jailbreak
5 Ways to Improve the Patching Process
VxWorks TCP/IP Stack Vulnerability Poses Major Manufacturing Risk
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
How to Avoid Technical Debt in Open Source Projects
.
 

Last News

▸ Enhancing Security of Web Apps ◂
Discovered: 26/12/2024
Category: security

▸ DDoS data reveals subtle threats beneath large attacks. ◂
Discovered: 26/12/2024
Category: security

▸ India launched a targeted attack on Pakistan. ◂
Discovered: 26/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online