The personal credit card information of more than 58,000 MoviePass members has reportedly been exposed through a critical server that was not password protected.
Security researcher Mossab Hussein found the exposed database on one of the company’s subdomains, according to
Hussein, who works for cybersecurity firm SpiderSilk, claimed that the subdomain contained 161 million records when he made the discovery.
According to Hussein, personal credit card information for MoviePass customers had been exposed as well as members’ MoviePass customer card numbers, which operate like debit cards.
MoviePass debit cards are issued by Mastercard.
Personal credit card information of tens of thousands of MoviePass members has reportedly been exposed through a critical server that was not password protected. Members’ MoviePass customer card numbers, which operate like debit cards (file image), were also exposed
MoviePass cardholders have the ability to upload cash to their Mastercards, and for $19.95 per month, subscribers can watch any movie in the company’s app and use their MoviePass debit cards at most theaters nationwide.
Hussein told TechCrunch that his company reviewed a sample of 1,000 records and a more than half contained MoviePass debit card numbers.
The more than 58,000 MoviePass card records also contained the expiration dates and card balances. Hussein said the numbers continued to climb by the minute as his team observed the database.
According to the news site, Hussein said he also discovered customers’ personal credit card numbers, expiration daters and billing addresses.
Hussein said MoviePass had been negligent in leaving data unencrypted in an exposed, accessible database.
‘In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the data set was exposed for public access by anyone,’ he told TechCrunch.
The information is believed to have been unencrypted and exposed for months.
Hussein has contacted MoviePass’ CEO Mitch Lowe about the security threat, but he hasn’t heard back.
As of Tuesday, MoviePass (file image) had taken the database offline, but they have not announced a plan of action to prevent future breaches
A DailyMail.com request for comment to the company was also not immediately returned.
However, as of Tuesday, MoviePass had taken the database offline, but they have not announced a plan of action to prevent future breaches.
When MoviePass launched, it attracted waves of consumers on the proposition that they could watch unlimited movies per month for just $9.99 per month.
But that business model eventually proved futile as the company found that it could no longer sustain it.
In July 2018, MoviePass temporarily went out of service after the company ran out of money, forcing it to borrow an emergency $5million from a hedge fund.
The company made strides after it rolled out three new subscription plans in January 2019 for users to choose from, but just a few months later, MoviePass announced that it would be abandoning the former three-tier structure.
MoviePass had been bleeding subscribers as it faced financial troubles, with many expressing frustration over the unreliable service and increasing subscription prices.
In March, MoviePass brought back the original plan that caused it to shoot to fame – but it came with a catch.
The discount ticket service launching Uncapped, a revamped version of its original unlimited plan, which lets users watch one movie per day.
Uncapped costs $9.95 per month if subscribers pay for a full year in advance.
If they elect to pay on a monthly basis, it’ll cost users $14.95 per month for a limited time, after which point, the price will go up to $19.95 for unlimited tickets.