MoviePass Left Tens Of Thousands Of Credit Card Numbers Exposed Online

from the whoops-a-daisy dept

MoviePass initially seemed like it might be a plausible idea, though recently the outfit has been exposed for being terrible at this whole business thing. The service initially let movie buffs pay $30 a month in exchange for unlimited movie tickets at participating theaters, provided they signed up for a full year of service. But recent reports have made it clear company leaders had absolutely no idea what they were doing, the service was routinely hemorrhaging cash (particularly after an unsustainable price drop to $10), and execs even tried to change user passwords to prevent users from actually using the service.

Apparently, the outfit wasn’t too hot at this whole internet security thing, either.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently discovered that the company had left tens of thousands of user credit card numbers exposed to the internet. An exposed database on one of the company’s subdomains resulted in 161 million records on various types being exposed (a number, if precedent holds, that could grow even larger). And while much of this data was not sensitive, a good chunk of it was:

“We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card?s balance and when it was activated.

The database had more than 58,000 records containing card data ? and was growing by the minute.”

Some customer names and addresses were also exposed to the internet. The data also included logs of failed login attempts, as well as subscriber email addresses. None of the records in the exposed database had been encrypted. The data had been exposed for months, and like so many companies, MoviePass didn’t appear to be in much of a rush to address the problem:

“The database was exposed for months. Yonathan Klijnsma, threat researcher at cyberthreat intelligence firm RiskIQ, found evidence that the database was open from early May. Then, after we published this story, security researcher Nitish Shah told TechCrunch he also found the exposed database months earlier. ?I even notified them, but they [didn?t bother] to reply or fix it,? he said. He provided a screenshot of the exposed database for proof, which we verified.”

With the number of companies that have been embarrassed for leaving sensitive customer data exposed to the internet, you’d think we’d be seeing fewer of these kinds of scandals as companies work to audit and secure their systems. Yet we seem to be seeing more of these breaches (especially private data left exposed in unprotected Amazon cloud buckets) each and every month.

Filed Under: , ,
Companies: moviepass

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “MoviePass Left Tens Of Thousands Of Credit Card Numbers Exposed Online”

Subscribe: RSS Leave a comment
Anonymous Coward says:

But recent reports have made it clear company leaders had absolutely no idea what they were doing

The BusinessInsider story linked from that article is paywalled, so it’s hard to tell what you’re basing this opinion on. It sounds like they were trying to defraud investors and customers. Given that they got salaries for years and haven’t been charged with a crime or sued, I’m not so sure they were clueless.

Anonymous Coward says:

Re: Re:

They were clueless to think they wouldn’t get caught. Once they started messing with customer accounts, it was game over. That stuff will always come out once the money runs out, if you’ve got employees and stop paying them.

The solution here would have been to sell the company and leave the country before everything became public.

Anonymous Coward says:

Re: Re: Re:

They were clueless to think they wouldn’t get caught.

The question isn’t whether they’ll get caught, it’s whether they’ll face consequences. Yeah, they could still go to jail, but who knows? We’ve seen Corporate America get away with worse. Only one bank, one that few had ever heard of, was indicted for the 2008 mortgage crisis; other bank executives mostly remain rich.

Anonymous Coward says:

Data breaches (and this isn’t even a breach, the data here was offered publicly) are getting to be a bit of a yawn. The message is clear: Don’t trust any old website with your credit card or other personal details. For payments, stick with those sites that use specialist services for that such as Stripe or even PayPal — they have a vested interest in keeping your data secure. If they don’t offer such a payment method then shop elsewhere or don’t bother. At least if you stick with just a couple payment processors your details are shared with the smallest number of sites possible.

Anonymous Coward says:

Maybe they had a clue once...

MoviePass might have had a clue at the start. The idea was to resell tickets for less than they cost them but eventually to get movie theater chains to sell them tickets for less on the strength of the greater marketing prowess of MoviePass in bringing in new customers who wouldn’t otherwise see movies and would load up on snacks.

Bottom line, If theaters we’re making more after MoviePass than before, then they would have a motive to lower ticket prices for MoviePass but if MoviePass is just selling tickets to people who would have bought them for a higher price anyway, or who didn’t buy enough snacks, or used MoviePass too much, then their business model wouldn’t work.

Maybe it did work and they proved their case to theaters, who then stole the idea and made their own passes because why should they share a dime with an outside party? And that’s just what happened didnt it? MoviePass’s mistake was in thinking they had anything to sell that AMC couldn’t sell to their own customers.

Anonymous Coward says:

Re: Maybe they had a clue once...

Good point. In my are we have the traditional sardine can theaters, complete with the smell and cramped conditions, and we have Cinetopia, a "high end" theater with better seating, food and drinks served inside the theater, and higher prices. Those who frequent the sardine cans rarely visit the nicer theater. The same is true in reverse. Thus there really isn’t any kind of real competition and a "movie pass" would be used exclusively for tickets at one of the two theater types. Because all Cinetopias are owned by the one guy and all of the others are owned by the one corp, all each needs to do is issue their own movie pass and this MoviePass business is done. In this area at least.

I don’t know what made them think that theaters would give them a big enough discount that they could offer such cheap tickets to their MoviePass customers and still have enough left over as profit to be worth it. Bad idea and they should be ashamed. Their investors should be listed publicly so everyone else can take advantage of them, too.

Michael (profile) says:

Horrible, but not as bad as this may seem

"A little over half contained unique MoviePass debit card numbers"

MoviePass debit cards were the way the users purchased the tickets. When they selected a movie to go see, the debit card would get the cost of the ticket applied to it and the user would use the card to purchase the ticket.

While having an exposed database full of customer information is horrible, it was not customer credit or debit cards exposed here, it was just a card number for a card that really cannot be used for anything except purchasing a movie ticket selected by the user.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...