A MoviePass Security Gaffe Leaves Tens of Thousands of Accounts Exposed
When MoviePass launched a $9.95 subscription service in 2017, it was heralded as nothing less than a revolution in the moviegoing experience. The monthly fee allowed once-daily admission to first-run theatrical films at all of the major chains. Roughly 1 million people signed up for the app in the first four months alone. But AMC and other exhibitors resisted the business plan, leading to dwindling benefits and bad press.
Now, MoviePass is dealing with another issue: Leaving the customer card numbers of at least 58,000 users, plus many credit card numbers, easily accessible on a server.
According to TechCrunch, the data was first discovered by Dubai-based security firm SpiderSilk and security researcher Mossab Hussein. The cards were left unencrypted and available to review on the server without the need for a password. MoviePass cards are issued by Mastercard and operate like conventional debit cards, with pre-loaded balances that pay the full admission price at theater chains. The unsecured server also had conventional credit card information for customers that are used to pay the MoviePass subscription. These records included billing addresses. TechCrunch stated that among the records they reviewed, some contained enough information to make fraudulent purchases.
The database was taken offline this week, but it’s believed it had been open and accessible for months. Security researcher Nitish Shah said he discovered the database earlier in the year, wrote MoviePass to warn them, but received no reply. In a statement, MoviePass CEO Mitch Lowe said the company was looking into it and would notify affected customers. In the interim, it's probably wise for MoviePass subscribers to monitor affiliated credit cards for any suspicious charges.