Unencrypted MoviePass Database Exposes Sensitive Info From Thousands of Customers

Discussion in 'iOS Blog Discussion' started by MacRumors, Aug 20, 2019.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Struggling movie ticket subscription service MoviePass stored thousands of customer card numbers and personal credit cards in a database that was not protected with a password, reports TechCrunch.

    The exposed database, which contained 161 million records, was discovered by Mossab Hussain, a Dubai-based security researcher. Many of the records in the database were computer-generated logging messages, but some also featured sensitive user information like MoviePass customer card numbers.


    MoviePass customer cards work like debit cards and are issued by Mastercard, allowing customers who sign up for MoviePass to use them to pay for the full cost of movie tickets.

    In a sample of 1,000 records, TechCrunch found that a little over half contained unique MoviePass debit card numbers, expiration dates, and card balance. More than 58,000 records containing card data were found.

    The unprotected MoviePass database also featured some customers' personal credit card numbers along with expiration dates, names, addresses, and other billing information. TechCrunch says that records contained enough information to allow someone to make fraudulent card purchases, though some records featured card numbers that were masked with the exception of the last four digits.

    Email addresses and passwords related to failed login attempts were also found in the database.
    While Hussain contacted MoviePass CEO Mitch Lowe over the weekend, there was no response. MoviePass left the database online until Tuesday when TechCrunch contacted the company.

    The database may have been accessible for months, but MoviePass did not respond to TechCrunch's questions about how long the server was exposed and whether it plans to disclose the incident to customers.

    Hussain told TechCrunch that he questions why internal technical teams would be allowed to see critical data in plaintext, "let alone the fact that the dataset was exposed for public access by anyone."

    Since its early 2018 launch, MoviePass has failed catastrophically. It ran out of money temporarily in mid-2018 because it was losing up to $40 million per month, and then began cutting back on the quality of service, limiting movie access, raising prices, and even temporarily shutting down.

    Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money. Over the course of the last year, MoviePass has allegedly gone from three million subscribers to approximately 225,000.

    Article Link: Unencrypted MoviePass Database Exposes Sensitive Info From Thousands of Customers
  2. jonblatho macrumors 65816


    Jan 20, 2014
  3. redneckitengineer, Aug 20, 2019
    Last edited: Aug 20, 2019

    redneckitengineer macrumors 6502


    Oct 27, 2017
    I jumped ship a LONG time ago when they started limiting and cutting. The funny thing, I haven't been back to the theaters once since. Greedy theaters that didn't want to partner lost all my business. Instead of being reasonable, they lost a lot more.
  4. KGBguy macrumors regular


    Feb 19, 2015
    USSR 2.0
    Yep, this company is a total joke. I dumped them 2 months after getting it.
  5. Unity451 macrumors 6502


    Aug 29, 2011
    The company changed their business model again... this time they're selling customer data for profit... I'm sure they'll revise the strategy again next week.
    --- Post Merged, Aug 20, 2019 ---
  6. macduke macrumors G4


    Jun 27, 2007
    Central U.S.
    Well, I guess I was wrong when I last commented about Movie Pass over a year ago. They'll be remembered because of their data leaks.

  7. thisisnotmyname, Aug 20, 2019
    Last edited: Aug 20, 2019

    thisisnotmyname macrumors 68000


    Oct 22, 2014
    known but velocity indeterminate
    It's just incredible that a company would still have such terrible data protection processes that this could happen but I find the tidbit buried at the end to almost as bad. I'd go read that article because "reports" could mean unsubstantiated rumors from a disgruntled employee but if they were changing passwords to block users that's inviting a lawsuit.

    edit to add: that was a really interesting article. Amazing how much shenanigans was going on in the background at MoviePass
  8. TMRJIJ macrumors 68040


    Dec 12, 2011
    South Carolina, United States
    I honestly thought this company was dead already
  9. dannyyankou macrumors G3


    Mar 2, 2012
    Scarsdale, NY
    Thank god I never took the bait and signed up for this cluster service.
  10. now i see it macrumors 68040

    Jan 2, 2002
    time and again, new companies show that they are lazy and clueless when it comes to securing customer data.
    At this point it's pretty clear that this kind of crap will continue as long as humans and computers exist.
    Lesson learned? Every newfangled Internet dependent service should be considered a security hazard.
  11. CarlJ macrumors 68030


    Feb 23, 2004
    San Diego, CA, USA
    Greedy theaters? Reasonable? MoviePass was selling you deeply discounted tickets that they were buying at full price, and your takeaway is that the tickets were overvalued? If I go bankrupt selling you dollar bills for 25 cents each, do you think that dollar bills are too expensive at normal prices, or that I had a terrible business plan.
  12. thefourthpope macrumors 6502a


    Sep 8, 2007
    Ditto. Never did seem feasible as a business model, especially with theaters immediately making plans to offer their own plans (our town only has a Regal theater, so I’ve only paid attention to them, but they’ve recently launched their own subscription program after whispering about it for a while).
  13. kazmac macrumors 604


    Mar 24, 2010
    Any place but here or there....
    Wow. Well, if this doesn’t sink Movie Pass, I don’t know what will.

    Unfortunate about folks’ personal information being exposed too though.
  14. zorinlynx macrumors 603


    May 31, 2007
    Florida, USA
    Why does this company still exist? Shouldn't it be six feet under by now? How can a company be such a complete cluster-****, lose millions and millions of dollars, and still be around to lose control of customer data?

    It's frustrating to see this happen while so many good people are scraping by.
  15. fairuz macrumors 68020


    Aug 27, 2017
    Silicon Valley
    I love how companies that suck for unrelated reasons always get hacked too.
  16. apolloa macrumors G5

    Oct 21, 2008
    Time, because it rules EVERYTHING!
    Anither online service that’s cheaped out in security, shocker....

    I suspect the majority of online services record your data in plain text, they don’t want to spend the money on proper security as is required by some data protection laws.
    I always just think of Sony and how it’s customer data was not hashed is it? A couple of huge break ins and thefts (no one was ever arrested for the theft of millions of credit cards and personally identifiable user information from Sony), and some fines, but massive public outcry later and they eventually do it properly, or so they claim.

    So glad these people keep on calling out these services that take security as a joke and a cost cutting measure.
  17. MadeTheSwitch macrumors 6502a


    Apr 20, 2009
    Damn. How incompetent can one company be? This needs to be the final straw for the company. And then, when the company collapses, the people responsible for the mess need to be blackballed from ever having anything to do with sensitive data ever again in any company they try to go work for.

    They have demonstrated they aren’t capable of being responsible.
  18. Khedron macrumors 68000

    Sep 27, 2013
    They've shown such consistent and willful negligence that at this point I'd support mandatory licensing and proof of encryption and security before any business wants to save a single piece of user information.
  19. alphaod macrumors Core


    Feb 9, 2008
    I deleted my account last year after that whole AMC fiasco and ended up getting A-List though... I hope my information is not in that database.
  20. Scott6666 macrumors 65816


    Feb 2, 2008
    Selling customer data to hackers is the new business model.
  21. redneckitengineer macrumors 6502


    Oct 27, 2017
    Why are box office sales declining year over year then? I'm not the only one who doesn't go to theaters anymore. Movie Pass was a disruptor and all the chains now have something similar because people want it. Movie Pass tried to get chains to partner and share in profits but instead they bucked and now there's 3 million less Movie Pass guests(some may have a chain based plan now). Your ignorant if you think paying $10-15 per ticket is not greedy. Redbox it for $2 and watch it at home with your own food and beer.
  22. anson42 macrumors 6502

    Mar 13, 2014
    Oakland, CA
    Seriously, if a company is not advertising themselves as PCI DSS compliant, there is every opportunity for said company to be mishandling credit card data and is thus not trustworthy to hold on to it. A password protected database is itself not enough. To MoviePass, as a US company if you don't know what PCI is, that's ignorant. If you do and chose not to do anything about it, that's negligent. If you advertise yourself as PCI compliant, that's fraudulent.

  23. GeneralChang macrumors 65816

    Dec 2, 2013
    Aaaah, MoviePass... I signed on very near the beginning, and jumped ship just before it totally capsized. I got a solid portion of a year of frankly excellent movie ticket prices, and suffered virtually no ill effects aside from a crippling addiction to theater popcorn. But I've gotta say, watching the clown-car of catastrophes that's unloaded since I left has been interesting to say the least.
  24. MadeTheSwitch macrumors 6502a


    Apr 20, 2009
    I don’t go much anymore either. Not only because is it expensive, but mainly because the people around you are horrible. They think they ARE home. They get up in front of you (multiple times), they make noise, they talk, they check their phones. It’s awful!

Share This Page

23 August 20, 2019