Unencrypted MoviePass Database Exposes Sensitive Info From Thousands of Customers

[MacRumors]

Struggling movie ticket subscription service MoviePass stored thousands of customer card numbers and personal credit cards in a database that was not protected with a password, reports TechCrunch.

The exposed database, which contained 161 million records, was discovered by Mossab Hussain, a Dubai-based security researcher. Many of the records in the database were computer-generated logging messages, but some also featured sensitive user information like MoviePass customer card numbers.

MoviePass customer cards work like debit cards and are issued by Mastercard, allowing customers who sign up for MoviePass to use them to pay for the full cost of movie tickets.

In a sample of 1,000 records, TechCrunch found that a little over half contained unique MoviePass debit card numbers, expiration dates, and card balance. More than 58,000 records containing card data were found.

The unprotected MoviePass database also featured some customers' personal credit card numbers along with expiration dates, names, addresses, and other billing information. TechCrunch says that records contained enough information to allow someone to make fraudulent card purchases, though some records featured card numbers that were masked with the exception of the last four digits.

Email addresses and passwords related to failed login attempts were also found in the database.

We found hundreds of records containing the user's email address and presumably incorrectly typed password -- which was logged -- in the database. We verified this by attempting log into the app with an email address and password that didn't exist but only we knew. Our dummy email address and password appeared in the database almost immediately.

While Hussain contacted MoviePass CEO Mitch Lowe over the weekend, there was no response. MoviePass left the database online until Tuesday when TechCrunch contacted the company.

The database may have been accessible for months, but MoviePass did not respond to TechCrunch's questions about how long the server was exposed and whether it plans to disclose the incident to customers.

Hussain told TechCrunch that he questions why internal technical teams would be allowed to see critical data in plaintext, "let alone the fact that the dataset was exposed for public access by anyone."

Since its early 2018 launch, MoviePass has failed catastrophically. It ran out of money temporarily in mid-2018 because it was losing up to $40 million per month, and then began cutting back on the quality of service, limiting movie access, raising prices, and even temporarily shutting down.

Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money. Over the course of the last year, MoviePass has allegedly gone from three million subscribers to approximately 225,000.

Article Link: Unencrypted MoviePass Database Exposes Sensitive Info From Thousands of Customers

 

[jonblatho]

Is MoviePass back from their purported app update vacation yet?

 

[redneckitengineer]

I jumped ship a LONG time ago when they started limiting and cutting. The funny thing, I haven't been back to the theaters once since. Greedy theaters that didn't want to partner lost all my business. Instead of being reasonable, they lost a lot more.

 

[KGBguy]

Yep, this company is a total joke. I dumped them 2 months after getting it.

 

[Unity451]

The company changed their business model again... this time they're selling customer data for profit... I'm sure they'll revise the strategy again next week.
[doublepost=1566339456][/doublepost]

Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money.

#murica

 

[macduke]

Well, I guess I was wrong when I last commented about Movie Pass over a year ago. They'll be remembered because of their data leaks.

If something seems too good to be true, it usually is. Most people saw this coming. Now MoviePass will fade into obscurity and be forgotten about.

 

[thisisnotmyname]

It's just incredible that a company would still have such terrible data protection processes that this could happen but I find the tidbit buried at the end to almost as bad. I'd go read that article because "reports" could mean unsubstantiated rumors from a disgruntled employee but if they were changing passwords to block users that's inviting a lawsuit.

edit to add: that was a really interesting article. Amazing how much shenanigans was going on in the background at MoviePass

 

[TMRJIJ]

I honestly thought this company was dead already

 

[dannyyankou]

Thank god I never took the bait and signed up for this cluster service.

 

[now i see it]

time and again, new companies show that they are lazy and clueless when it comes to securing customer data.
At this point it's pretty clear that this kind of crap will continue as long as humans and computers exist.
Lesson learned? Every newfangled Internet dependent service should be considered a security hazard.

 

[CarlJ]

Greedy theaters that didn't want to partner lost all my business. Instead of being reasonable, they lost a lot more.

Greedy theaters? Reasonable? MoviePass was selling you deeply discounted tickets that they were buying at full price, and your takeaway is that the tickets were overvalued? If I go bankrupt selling you dollar bills for 25 cents each, do you think that dollar bills are too expensive at normal prices, or that I had a terrible business plan.

 

[thefourthpope]

I honestly thought this company was dead already

Ditto. Never did seem feasible as a business model, especially with theaters immediately making plans to offer their own plans (our town only has a Regal theater, so I’ve only paid attention to them, but they’ve recently launched their own subscription program after whispering about it for a while).

 

[kazmac]

Wow. Well, if this doesn’t sink Movie Pass, I don’t know what will.

Unfortunate about folks’ personal information being exposed too though.

 

[zorinlynx]

Why does this company still exist? Shouldn't it be six feet under by now? How can a company be such a complete cluster-****, lose millions and millions of dollars, and still be around to lose control of customer data?

It's frustrating to see this happen while so many good people are scraping by.

 

[fairuz]

I love how companies that suck for unrelated reasons always get hacked too.

 

[apolloa]

Anither online service that’s cheaped out in security, shocker....

I suspect the majority of online services record your data in plain text, they don’t want to spend the money on proper security as is required by some data protection laws.
I always just think of Sony and how it’s customer data was not hashed is it? A couple of huge break ins and thefts (no one was ever arrested for the theft of millions of credit cards and personally identifiable user information from Sony), and some fines, but massive public outcry later and they eventually do it properly, or so they claim.

So glad these people keep on calling out these services that take security as a joke and a cost cutting measure.

 

[MadeTheSwitch]

Damn. How incompetent can one company be? This needs to be the final straw for the company. And then, when the company collapses, the people responsible for the mess need to be blackballed from ever having anything to do with sensitive data ever again in any company they try to go work for.

They have demonstrated they aren’t capable of being responsible.

 

[Khedron]

time and again, new companies show that they are lazy and clueless when it comes to securing customer data.
At this point it's pretty clear that this kind of crap will continue as long as humans and computers exist.
Lesson learned? Every newfangled Internet dependent service should be considered a security hazard.

They've shown such consistent and willful negligence that at this point I'd support mandatory licensing and proof of encryption and security before any business wants to save a single piece of user information.

 

[alphaod]

I deleted my account last year after that whole AMC fiasco and ended up getting A-List though... I hope my information is not in that database.

 

[Scott6666]

The company changed their business model again... this time they're selling customer data for profit... I'm sure they'll revise the strategy again next week.
[doublepost=1566339456][/doublepost]
#murica

Selling customer data to hackers is the new business model.

 

[redneckitengineer]

Greedy theaters? Reasonable? MoviePass was selling you deeply discounted tickets that they were buying at full price, and your takeaway is that the tickets were overvalued? If I go bankrupt selling you dollar bills for 25 cents each, do you think that dollar bills are too expensive at normal prices, or that I had a terrible business plan.

Why are box office sales declining year over year then? I'm not the only one who doesn't go to theaters anymore. Movie Pass was a disruptor and all the chains now have something similar because people want it. Movie Pass tried to get chains to partner and share in profits but instead they bucked and now there's 3 million less Movie Pass guests(some may have a chain based plan now). Your ignorant if you think paying $10-15 per ticket is not greedy. Redbox it for $2 and watch it at home with your own food and beer.

 

[anson42]

Seriously, if a company is not advertising themselves as PCI DSS compliant, there is every opportunity for said company to be mishandling credit card data and is thus not trustworthy to hold on to it. A password protected database is itself not enough. To MoviePass, as a US company if you don't know what PCI is, that's ignorant. If you do and chose not to do anything about it, that's negligent. If you advertise yourself as PCI compliant, that's fraudulent.

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

 

[GeneralChang]

Aaaah, MoviePass... I signed on very near the beginning, and jumped ship just before it totally capsized. I got a solid portion of a year of frankly excellent movie ticket prices, and suffered virtually no ill effects aside from a crippling addiction to theater popcorn. But I've gotta say, watching the clown-car of catastrophes that's unloaded since I left has been interesting to say the least.

 

[MadeTheSwitch]

Why are box office sales declining year over year then? I'm not the only one who doesn't go to theaters anymore. Movie Pass was a disruptor and all the chains now have something similar because people want it. Movie Pass tried to get chains to partner and share in profits but instead they bucked and now there's 3 million less Movie Pass guests(some may have a chain based plan now). Your ignorant if you think paying $10-15 per ticket is not greedy. Redbox it for $2 and watch it at home with your own food and beer.

I don’t go much anymore either. Not only because is it expensive, but mainly because the people around you are horrible. They think they ARE home. They get up in front of you (multiple times), they make noise, they talk, they check their phones. It’s awful!