Movie ticket subscription service MoviePass exposed thousands of customer card numbers, and personal credit cards since a critical server were not protected with a password.
Mossab Hussein, a security researcher at Dubai-based cybersecurity agency SpiderSilk, discovered an exposed database on one of the firm’s many subdomains. The database was vast, containing 161 million data at the time of writing and rising in real-time. Most of the information was general computer-generated logging messages used to make sure the working of the service — however, many also included delicate user data, corresponding to MoviePass customer card numbers.
These MoviePass buyer cards are like regular debit cards: they’re issued by Mastercard and retailer a cash balance, which customers who signal up to the subscription service can use to pay to observe a catalog of flicks. For a monthly subscription fee, MoviePass makes use of the debit card to load the full price of the movie, which the customer then makes use of to pay for the film at the cinema.
More than half leaked records contained distinctive MoviePass debit card numbers. Each customer card document had the MoviePass debit card number and its expiry date, the card’s balance, and when it was activated.
The database had over 58,000 data containing card data — and was rising by the minute.
We further discovered information containing prospects’ private bank card numbers and their expiry date — which included billing info, together with names and postal addresses.
Several records, nonetheless, contained card numbers that had been covered except for the last four digits.