MoviePass database exposes 161 million records

News by Teri Robinson

A MoviePass subdomain database housing 161 million records was left unsecured and exposed credit card and customer card information on at least 60,000 of the ticket service's customers

A database on a MoviePass subdomain housing 161 million records was left unsecured and exposed credit card and customer card information on at least 60,000 of the ticket service’s customers. 

The database, which included expiration dates, names and addresses on some users as well as email and passwords, was discovered by SpiderSilk security researcher Mossab Hussein, according to a report from TechCrunch, which said the information may have been exposed for several months. 

"Because a database was left publicly accessible, reportedly for months, at least 58,000 records related to MoviePass customers are vulnerable to misuse and abuse at the hands of cybercriminals," said Stephan Chenette, Co-Founder and CTO at AttackIQ. "At its peak, MoviePass boasted more than 3 million customers in June 2018, so it’s entirely possible we’ll see the number of impacted individuals grow exponentially."

And while it’s a "bit unclear how many of these records included sensitive consumer data," said Jumio President Robert Prigge, "what we should all expect is that a healthy chunk of this data will ultimately find a happy home on the dark web."

Because "technically, this breach can be interpreted as the company giving away customer data for free" and because the exposed data included personally identifiable information and payment card details, it leaves "impacted customers vulnerable to future fraud or phishing attacks," said Arkose Labs CEO Kevin Gosschalk.

The once rapidly growing, but often financially challenged, MoviePass popped up last year to great fanfare, attracting millions of customers who pony up a monthly subscription fee and use MasterCard-issued debit cards to pay for movie passes.

 "Unlike credit cards, debit cards don’t offer the same protection to customers. When a fraudulent transaction occurs on your credit card, you have lost no money and the issue will never impact your bank account. With a debit card, your bank account balance is directly affected from the moment the fraudulent transaction takes place. While the customers can put a hold on their cards, timing is the key in these types of situations. As this database was left publicly accessible, reportedly for months, companies must learn from MoviePass’s mistake and implement a proactive approach to fraud prevention that safeguards their customers’ data."

Adam Laub, CMO at STEALTHbits Technologies, sees "two separate, yet closely related components" to the MoviePass breach. "On one side you have a database rich with sensitive, personally-identifiable information that is readable in plaintext," he said. "On the other, you have a misconfiguration that allows anyone with internet access to view that information. Which is worse?"

Laub said if the data had "been masked, the information would still be accessible, but perhaps not so immediately valuable" but "if access rights were configured properly and appropriately, this discovery might never have been made and there would be no story in the first place."

Both are problematic. "A layered approach to security is the ideal scenario, but either could have conceivably been enough to make this a non-issue," he said. "While convenient to say in light of this particular situation, organisations of any type or size can drastically mitigate their risk of finding themselves in these types of situations by focusing their time on locating and limiting access to the data attackers would be most interested in, as well as verifying desired configurations are being adhered to across all devices and information assets.

MoviePass had trouble keeping pace with its rapid growth and has reportedly seen a drop in membership to fewer than 225,000 subscribers. The movie subscription service could see its reputation – and financial future – continue to dive after this latest incident, which came at a particularly crucial juncture following a series of unfortunate events.

"MoviePass reportedly obstructed its customers from buying tickets by forcibly changing user passwords in April 2019," said Ben Goodman, senior vice president of global business and corporate development at ForgeRock.

"According to a recent survey from PwC, 87 percent of consumers take their business elsewhere if they do not trust a company is handling their data responsibly, so it will not be surprising if affected customers take their business to alternative services like Regal Entertainment’s Regal Unlimited instead." 

"MoviePass customers should subscribe to a credit reporting service that notifies you when there are changes to your credit score, and be sure to check bank and credit statements to make sure there no unforeseen charges," Israel Barak, chief information security officer at Cybereason, told SC Media UK.

"If you’re a victim of identity theft, make sure you tell your financial institutions, credit issuers and local police of the theft as soon as you can," he added.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews