Facepalm: MoviePass has suffered a litany of issues since slashing prices to rock-bottom levels and attracting massive attention two years ago. Most of the wounds have been self-inflicted to the point that you'd really have to give serious consideration to whether or not it's worth it to do business with them.
Movie ticket subscription service MoviePass inadvertently exposed thousands of customer card numbers due to lax security on a critical server.
Security researcher Mossab Hussein from Dubai-based cybersecurity firm SpiderSilk discovered the exposed database and tipped off TechCrunch. The publication reviewed a sample of 1,000 records and after removing duplicates, found that more than half of them contained MoviePass debit card numbers.
MoviePass issues debit cards to its subscribers which it loads with funds used to pay for admission at your local theater.
In total, Hussein said more than 58,000 records in the database contained card data. TechCrunch also found personal credit card numbers, expiration dates and billing information including names and addresses as well as e-mail addresses and logs of failed password attempts. "We found records with enough information to make fraudulent card purchases," the publication said.
Hussein attempted to contact MoviePass CEO Mitch Lowe over the weekend regarding the matter but didn't get anywhere. It was only on Tuesday after TechCrunch reached out that MoviePass took the database offline.
According to cyber threat intelligence firm RiskIQ, the database may have been exposed for months. Another security researcher, Nitish Shah, also came forward and told TechCrunch that he found the exposed database months earlier but MoviePass never replied / fixed it.
Masthead credit: MoviePass card by James Andrews1