MoviePass Is Somehow Still Screwing Up, Exposes Thousands Of Customer Card Numbers

MoviePass's meteoric rise and rapid downfall is already the stuff of Hollywood cautionary tales, but somehow, the movie ticketing service keeps falling harder. It seems like the only time that MoviePass makes headlines lately is when its latest scandal surfaces, and this newest one is a doozy. According to a new report, MoviePass has exposed tens of thousands of customer card numbers and personal credit cards through an unprotected critical server. We all know the biggest issue here: MoviePass still has thousands of customers?TechCrunch reported that an exposed database has inadvertently exposed thousands of MoviePass card numbers. The exposed database, which is one of the company's many subdomains, contains 161 million records that continues to grow. While much of the database consists of normal "computer-generated logging messages used to ensure the running of the service," but 58,000 records of these records include sensitive user information such as MoviePass customer cards. TechCrunch reported:

These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.

We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card's balance and when it was activated.

TechCrunch also reported that it found records containing customers' personal credit card numbers, along with their expiration dates, billing information, names, and postal addresses — enough information to make fraudulent purchases. The database also included email addresses and password data related to failed login attempts. None of the records in the database were encrypted.

The database has since been taken offline by MoviePass following TechCrunch's reaching out to the company. However, the database may have been exposed for months, according to the cyberthreat intelligence firm RiskIQ, which first detected the system in late June. The exposed database was discovered by Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, who contacted MoviePass chief executive Mitch Lowe and received no response.

This is just the latest scandal surrounding MoviePass, which recently made headlines for allegedly blocking users out of the service by changing their passwords. MoviePass is no stranger to privacy breaches, having been criticized for selling user data to advertisers. The service recently lost as much as 90% of its userbase, though with these scandals, I can't imagine that they'll keep the remaining around for much longer.