Unencrypted MoviePass Database Exposes Sensitive Info From Thousands of Customers

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,401
8,478



Struggling movie ticket subscription service MoviePass stored thousands of customer card numbers and personal credit cards in a database that was not protected with a password, reports TechCrunch.

The exposed database, which contained 161 million records, was discovered by Mossab Hussain, a Dubai-based security researcher. Many of the records in the database were computer-generated logging messages, but some also featured sensitive user information like MoviePass customer card numbers.


MoviePass customer cards work like debit cards and are issued by Mastercard, allowing customers who sign up for MoviePass to use them to pay for the full cost of movie tickets.

In a sample of 1,000 records, TechCrunch found that a little over half contained unique MoviePass debit card numbers, expiration dates, and card balance. More than 58,000 records containing card data were found.

The unprotected MoviePass database also featured some customers' personal credit card numbers along with expiration dates, names, addresses, and other billing information. TechCrunch says that records contained enough information to allow someone to make fraudulent card purchases, though some records featured card numbers that were masked with the exception of the last four digits.

Email addresses and passwords related to failed login attempts were also found in the database.
We found hundreds of records containing the user's email address and presumably incorrectly typed password -- which was logged -- in the database. We verified this by attempting log into the app with an email address and password that didn't exist but only we knew. Our dummy email address and password appeared in the database almost immediately.
While Hussain contacted MoviePass CEO Mitch Lowe over the weekend, there was no response. MoviePass left the database online until Tuesday when TechCrunch contacted the company.

The database may have been accessible for months, but MoviePass did not respond to TechCrunch's questions about how long the server was exposed and whether it plans to disclose the incident to customers.

Hussain told TechCrunch that he questions why internal technical teams would be allowed to see critical data in plaintext, "let alone the fact that the dataset was exposed for public access by anyone."

Since its early 2018 launch, MoviePass has failed catastrophically. It ran out of money temporarily in mid-2018 because it was losing up to $40 million per month, and then began cutting back on the quality of service, limiting movie access, raising prices, and even temporarily shutting down.

Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money. Over the course of the last year, MoviePass has allegedly gone from three million subscribers to approximately 225,000.

Article Link: Unencrypted MoviePass Database Exposes Sensitive Info From Thousands of Customers
 

Unity451

macrumors 6502
Aug 29, 2011
361
1,469
California
The company changed their business model again... this time they're selling customer data for profit... I'm sure they'll revise the strategy again next week.
[doublepost=1566339456][/doublepost]
Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money.
#murica
 
  • Like
Reactions: Joe h

macduke

macrumors G4
Jun 27, 2007
10,566
14,057
Central U.S.
Well, I guess I was wrong when I last commented about Movie Pass over a year ago. They'll be remembered because of their data leaks.

If something seems too good to be true, it usually is. Most people saw this coming. Now MoviePass will fade into obscurity and be forgotten about.
 
  • Like
Reactions: miniyou64

thisisnotmyname

macrumors 68000
Oct 22, 2014
1,944
4,215
known but velocity indeterminate
It's just incredible that a company would still have such terrible data protection processes that this could happen but I find the tidbit buried at the end to almost as bad. I'd go read that article because "reports" could mean unsubstantiated rumors from a disgruntled employee but if they were changing passwords to block users that's inviting a lawsuit.

edit to add: that was a really interesting article. Amazing how much shenanigans was going on in the background at MoviePass
 
Last edited:
  • Like
Reactions: thefourthpope

now i see it

macrumors 601
Jan 2, 2002
4,004
8,005
time and again, new companies show that they are lazy and clueless when it comes to securing customer data.
At this point it's pretty clear that this kind of crap will continue as long as humans and computers exist.
Lesson learned? Every newfangled Internet dependent service should be considered a security hazard.
 
  • Like
Reactions: AlexGraphicD

CarlJ

macrumors 68040
Feb 23, 2004
3,018
4,581
San Diego, CA, USA
Greedy theaters that didn't want to partner lost all my business. Instead of being reasonable, they lost a lot more.
Greedy theaters? Reasonable? MoviePass was selling you deeply discounted tickets that they were buying at full price, and your takeaway is that the tickets were overvalued? If I go bankrupt selling you dollar bills for 25 cents each, do you think that dollar bills are too expensive at normal prices, or that I had a terrible business plan.
 

thefourthpope

macrumors 6502a
Sep 8, 2007
937
171
DelMarVa
I honestly thought this company was dead already
Ditto. Never did seem feasible as a business model, especially with theaters immediately making plans to offer their own plans (our town only has a Regal theater, so I’ve only paid attention to them, but they’ve recently launched their own subscription program after whispering about it for a while).
 

zorinlynx

macrumors 603
May 31, 2007
5,527
6,448
Florida, USA
Why does this company still exist? Shouldn't it be six feet under by now? How can a company be such a complete cluster-****, lose millions and millions of dollars, and still be around to lose control of customer data?

It's frustrating to see this happen while so many good people are scraping by.
 
  • Like
Reactions: SteveOfTheStow

apolloa

macrumors G5
Oct 21, 2008
12,225
7,673
Time, because it rules EVERYTHING!
Anither online service that’s cheaped out in security, shocker....

I suspect the majority of online services record your data in plain text, they don’t want to spend the money on proper security as is required by some data protection laws.
I always just think of Sony and how it’s customer data was not hashed is it? A couple of huge break ins and thefts (no one was ever arrested for the theft of millions of credit cards and personally identifiable user information from Sony), and some fines, but massive public outcry later and they eventually do it properly, or so they claim.

So glad these people keep on calling out these services that take security as a joke and a cost cutting measure.
 

MadeTheSwitch

macrumors 6502a
Apr 20, 2009
814
15,173
Damn. How incompetent can one company be? This needs to be the final straw for the company. And then, when the company collapses, the people responsible for the mess need to be blackballed from ever having anything to do with sensitive data ever again in any company they try to go work for.

They have demonstrated they aren’t capable of being responsible.
 

Khedron

macrumors 68000
Sep 27, 2013
1,968
3,655
time and again, new companies show that they are lazy and clueless when it comes to securing customer data.
At this point it's pretty clear that this kind of crap will continue as long as humans and computers exist.
Lesson learned? Every newfangled Internet dependent service should be considered a security hazard.
They've shown such consistent and willful negligence that at this point I'd support mandatory licensing and proof of encryption and security before any business wants to save a single piece of user information.
 

alphaod

macrumors Core
Feb 9, 2008
22,046
1,104
NYC
I deleted my account last year after that whole AMC fiasco and ended up getting A-List though... I hope my information is not in that database.
 

Scott6666

macrumors 65816
Feb 2, 2008
1,322
423
The company changed their business model again... this time they're selling customer data for profit... I'm sure they'll revise the strategy again next week.
[doublepost=1566339456][/doublepost]
#murica
Selling customer data to hackers is the new business model.
 

redneckitengineer

macrumors 6502
Oct 27, 2017
339
770
Tennessee
Greedy theaters? Reasonable? MoviePass was selling you deeply discounted tickets that they were buying at full price, and your takeaway is that the tickets were overvalued? If I go bankrupt selling you dollar bills for 25 cents each, do you think that dollar bills are too expensive at normal prices, or that I had a terrible business plan.
Why are box office sales declining year over year then? I'm not the only one who doesn't go to theaters anymore. Movie Pass was a disruptor and all the chains now have something similar because people want it. Movie Pass tried to get chains to partner and share in profits but instead they bucked and now there's 3 million less Movie Pass guests(some may have a chain based plan now). Your ignorant if you think paying $10-15 per ticket is not greedy. Redbox it for $2 and watch it at home with your own food and beer.
 

anson42

macrumors 6502
Mar 13, 2014
434
327
Oakland, CA
Seriously, if a company is not advertising themselves as PCI DSS compliant, there is every opportunity for said company to be mishandling credit card data and is thus not trustworthy to hold on to it. A password protected database is itself not enough. To MoviePass, as a US company if you don't know what PCI is, that's ignorant. If you do and chose not to do anything about it, that's negligent. If you advertise yourself as PCI compliant, that's fraudulent.

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
 

GeneralChang

macrumors 65832
Dec 2, 2013
1,501
1,167
Aaaah, MoviePass... I signed on very near the beginning, and jumped ship just before it totally capsized. I got a solid portion of a year of frankly excellent movie ticket prices, and suffered virtually no ill effects aside from a crippling addiction to theater popcorn. But I've gotta say, watching the clown-car of catastrophes that's unloaded since I left has been interesting to say the least.
 

MadeTheSwitch

macrumors 6502a
Apr 20, 2009
814
15,173
Why are box office sales declining year over year then? I'm not the only one who doesn't go to theaters anymore. Movie Pass was a disruptor and all the chains now have something similar because people want it. Movie Pass tried to get chains to partner and share in profits but instead they bucked and now there's 3 million less Movie Pass guests(some may have a chain based plan now). Your ignorant if you think paying $10-15 per ticket is not greedy. Redbox it for $2 and watch it at home with your own food and beer.
I don’t go much anymore either. Not only because is it expensive, but mainly because the people around you are horrible. They think they ARE home. They get up in front of you (multiple times), they make noise, they talk, they check their phones. It’s awful!