An unprotected server leaked credit cards numbers of MoviePass clients

MoviePass is the most recent company to experience a data breach due to an unprotected database

MoviePass fixes a data breach that occurred due to an unprotected database which was keeping credential and other personal information about thousands of users

Another massive data breach had occurred in the cybersecurity field lately when credentials of thousands of MoviePass customers were leaked due to an unprotected server. MoviePass' is a movie-ticketing service that was found in New York City 8 years ago and had several financial issues since then.^[1] Unfortunately, another misstep was just around the corner – the customer data leak.

The recent data exposure accident happened due to a server which was not secured by a password – the news broke when security researcher Mossab Hussein from SpiderSilk security firm uncovered the unprotected database in one of the MoviePass' subdomains.^[2] The database so far leaked around 161 million records that consists of server logs and, unfortunately, credit card information of MoviePass users, along with emails and other personal data. Evidence showed that the information was exposed for several months – at least from May.

Hussein encountered the leakage while employing web mapping equipment that is suitable for locating unprotected sources on the Internet. Even though the discoverer of the breach immediately contacted the company, there was no response given back until a report was published by TechCrunch.^[3]

The stolen information could be used to make falsified purchases via the MoviePass card

MoviePass cards are a very handy, as they allow paying for movie subscriptions online store the cash balance that users can pay for the tickets in theaters for. Just like any other Credit or Debit card, MoviePass is issued by MasterCard:^[4]

The exposed information regarding credentials included more than just a couple of details, however. If hackers were to access the unsecured database, they might have got in hold of credit card expiry dates and billing information which also including customers' names and postal addresses. TechCrunch claims that, according to their findings which they obtained from the leaky database, this data would be enough for cybercriminals to perform illegal card transactions for online purchases.

Nevertheless, experts have discovered that were even more information put at risk on the unprotected server. For example, researchers found out that numerous emails and some unencrypted passwords also were exposed and could have led to some major hacking attempts if located by bad actors.

The vulnerable server was fixed only after months of data exposure

Reports say that the unprotected database was exposed online for a long period. The disappointing part of the story is that MoviePass did not bother to secure customer data throughout the time, even though several other researchers (RiskIQ researcher Yonathan Klijnsma and Nitish Shah) approached the company months previously – with no answers.

Finally, as MoviePass got cornered due to massive media attention, it did not have a choice but say they “care about users' safety.” As of now, the company stated that it is going to improve its security measures, but only time will tell:^[5]

MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.

Users are indeed the biggest victims of such data breachers, as they provide very sensitive details to a company they buy services from. Organizations should be able to protect that information adequately. Unfortunately, as many previous incidents show (adult site Luscious, biometrics company Suprema, Honda ElasticSearch, etc.), the leaky and unencrypted databases exposed online remain a huge problem.

If you were the victim of a data breach, make sure you change your passwords and contact your bank to block the compromised card immediately.