MoviePass data breach leaves credit card numbers open

News
By last updated

Unsecured server exposes customer card numbers

(Image credit: MoviePass)

Movie ticket subscription service MoviePass is the latest company to suffer a data breach after tens of thousands of customer card numbers and personal credit cards were left unsecured on a server that was not password protected.

The exposed database was discovered by SpiderSilk security researcher Mossab Hussein who found it on one of the company's many subdomains. The database itself is massive and contains over 161m records including some pertaining to the service's daily operations as well as sensitive user information such as MoviePass customer card numbers.

MoviePass issues cards to its customers that are similar to normal debit cards and are issued by MasterCard. These cards contain a cash balance and the company deposits funds onto them which customers then use to pay to see movies.

When reviewing the records stored in the exposed database, TechCrunch also found information regarding MoviePass customers' personal credit card numbers including their expiry date as well as billing information such as names and postal addresses. However, some of the records contained card numbers where only the last four digits were visible.

Exposed database

After discovering the exposed database, Hussein reached out to MoviePass' chief executive Mitch Lowe to inform him of the matter but he did not hear back. The database was finally taken offline after TechCrunch reached out to the company.

Hussein was able to find MoviePass' exposed database by using SpiderSilk's own web mapping tools which search for non-password protected databases which are connected to the internet and identify their owners. This information is then disclosed to companies privately, often in exchange for a bug bounty.

According to the cyberthreat intelligence firm RiskIQ, the database may have been exposed for months as the company first detected the unsecured server in June.

MoviePass has yet to publicly acknowledge the breach and this lapse in security will likely do little to help the company as it struggles to gain more customers after growing far too fast. The company has also faced scrutiny recently after it reportedly changed the passwords of users who use its service extensively to prevent them from seeing more films.

Via TechCrunch

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Latest in News
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
More about security
Lock on Laptop Screen

Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg

Key trusted Microsoft platform exploited to enable malware, experts warn
Cassian Andor looking nervously over his shoulder in Andor season 2

New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
See more latest
Most Popular
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 25 (game #653)
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 25 (game #1156)
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
US flags
US government IT contracts set to be centralized in new Trump order