[BreachExchange] MoviePass exposed thousands of unencrypted customer card numbers
destry at riskbasedsecurity.com
Wed Aug 21 10:07:45 EDT 2019
Movie ticket subscription service MoviePass has exposed tens of
thousands of customer card numbers and personal credit cards because a
critical server was not protected with a password.
Mossab Hussein, a security researcher at Dubai-based cybersecurity
firm SpiderSilk, found an exposed database on one of the company’s
many subdomains. The database was massive, containing 161 million
records at the time of writing and growing in real time. Many of the
records were normal computer-generated logging messages used to ensure
the running of the service — but many also included sensitive user
information, such as MoviePass customer card numbers.
These MoviePass customer cards are like normal debit cards: they’re
issued by Mastercard and store a cash balance, which users who sign up
to the subscription service can use to pay to watch a catalog of
movies. For a monthly subscription fee, MoviePass uses the debit card
to load the full cost of the movie, which the customer then uses to
pay for the movie at the cinema.
We reviewed a sample of 1,000 records and removed the duplicates. A
little over half contained unique MoviePass debit card numbers. Each
customer card record had the MoviePass debit card number and its
expiry date, the card’s balance and when it was activated.
The database had more than 58,000 records containing card data — and
was growing by the minute.
We also found records containing customers’ personal credit card
numbers and their expiry date — which included billing information,
including names and postal addresses. Among the records we reviewed,
we found records with enough information to make fraudulent card
Some records, however, contained card numbers that had been masked
except for the last four digits.
The database also contained email address and some password data
related to failed login attempts. We found hundreds of records
containing users’ email addresses and presumably incorrectly typed
passwords — which was logged — in the database. We verified this by
attempting to log into the app with an email address and password that
didn’t exist but only we knew. Our dummy email address and password
appeared in the database almost immediately.
None of the records in the database were encrypted.
Hussain contacted MoviePass chief executive Mitch Lowe by email —
which TechCrunch has seen — over the weekend but did not hear back. It
was only after TechCrunch reached out Tuesday when MoviePass took the
It’s understood that the database may have been exposed for months,
according to data collected by cyberthreat intelligence firm RiskIQ,
which first detected the system in late June.
We asked MoviePass several questions — including why the initial email
disclosing the security lapse was ignored, for how long the server was
exposed and its plans to disclose the incident to customers and state
regulators. When reached, a spokesperson did not comment by our
MoviePass has been on a roller coaster since it hit mainstream
audiences last year. The company quickly grew its customer base from
1.5 million to 2 million customers in less than a month. But MoviePass
took a tumble after critics said it grew too fast, forcing the company
to cease operating briefly after the company ran out of money. The
company later said it was profitable, but then suspended service,
supposedly to work on its mobile app. It now says it has “restored
[service] to a substantial number of our current subscribers.”
Leaked internal data from April said its customer numbers went from
three million subscribers to about 225,000. And just this month
MoviePass reportedlychanged user passwords to hobble access for
customers who use the service extensively.
Hussein said the company was negligent in leaving data unencrypted in
an exposed, accessible database.
“We keep on seeing companies of all sizes using dangerous methods to
maintain and process private user data,” Hussein told TechCrunch. “In
the case of MoviePass, we are questioning the reason why would
internal technical teams ever be allowed to see such critical data in
plaintext — let alone the fact that the data set was exposed for
public access by anyone,” he said.
The security researcher said he found the exposed database using his
company-built web mapping tools, which peeks into non-password
protected databases that are connected to the internet, and identifies
the owner. The information is privately disclosed to companies, often
in exchange for a bug bounty.
Hussein has a history of finding exposed databases. In recent months
he found one of Samsung’s development labs exposed on the internet. He
also found an exposed backend database belonging to Blind, an
anonymity-driven workplace social network, exposing private user data.
More information about the BreachExchange