Tens of thousands of subscribers of the movie ticket subscription service, MoviePass, had their credit card information exposed to the wild when a critical database from the company has been found not to be protected by a password.
For only $19.95 per month, MoviePass offers their subscribers with one movie ticket every day which is accepted in most theaters nationwide. In order to use the service, the user needs to get the MoviePass card, which will be delivered to the subscriber. The subscriber can then browse the app for movie schedule and theaters. Of course, as it is a subscription service, the subscriber needs to connect his credit card to the service to continue with the subscription.
However, Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database in one of the company’s subdomains that contain a record of the credit card information of their subscribers. The researcher said that the unprotected database that he discovered is massive and contains more than 61 million records at the time of writing and is growing in real-time.
While most of the data contained in the database were auto-generated logs from the service – or information that arbitrary and are there to only keep the service from running – it also contained the card number of MoviePass customers.
The MoviePass card is similar to a debit card, issued by MasterCard, where subscriber store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. In a report published by TechCrunch, which assisted the researcher in analyzing the database, they have found out that by isolating duplicates in a group of 1000 records, more than half of the records are unique MoviePass card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance, and the date that it was activated.
More than 58,000 records containing customers’ card data were discovered in the unencrypted database, and the researchers said that the number is growing every day.
Furthermore, aside from records of MoviePass card numbers of the company’s subscribers, the researchers were able to find personally identifiable information contained in the database. One of the most sensitive types of information contained in the leaked database is customers’ billing information such as names and postal addresses. According to the cybersecurity experts who investigated the leak, there is enough data in the database for someone who has access to make fraudulent purchases using MoviePass subscribers’ financial information.
Email addresses and passwords were also contained in the database, especially those that were used in failed login attempts. When a user incorrectly uses a login credential to sign in to the service, the incorrect password is logged in the database – even if the error is just one character. This means that anyone who has access to the database can attempt to do some sort of credential stuffing to take over the account of unsuspecting MoviePass subscriber.
To make matters worse, the database has been active online and could be exploited in the wild for months, according to data collected by cyberthreat intelligence firm RiskIQ. The cybersecurity firm was the first to detect the existence of the unprotected system way back in June. This claim was supported by cybersecurity expert, Nitish Shah, who said that he was also able to uncover the database several months ago. “I even notified them, but they [didn’t bother] to reply or fix it,” he said.
It is clear that earlier sightings of the database had been reported to the company, but the company did not respond to their messages. In fact, Hussein also contacted MoviePass chief executive, Mitch Lowe, via email but no response was given. It was only after TechCrunch, a notable tech and cybersecurity news agency, contacted the company was the database was taken down.
“Hussain contacted MoviePass chief executive Mitch Lowe by email — which TechCrunch has seen — over the weekend but did not hear back. It was only after TechCrunch reached out Tuesday when MoviePass took the database offline,” Zack Whittaker wrote in a report.
Because of his discovery, Hussein said that the company was very negligent in leaving data unencrypted in an exposed database that is not protected by a password.
“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussein said. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the data set was exposed for public access by anyone,” he added.