Connect with us

The Online Technology

Massive MoviePass database found exposed on public server – Naked Security

Security Watch

Massive MoviePass database found exposed on public server – Naked Security


Last year, MoviePass CEO Mitch Lowe gloated about how the company was using subscribers’ data…

…or, rather, how MoviePass could use that data, as a company spokesman hastened to point out in the uproar that followed Lowe’s remarks at an Entertainment Finance Forum session titled, appropriately enough, “Data is the New Oil: How Will MoviePass Monetize It?”

Media Play News quoted Lowe at the time:

We know all about you.

Well, to put a rancid cherry on top of that gritty little cupcake, MoviePass didn’t just know “all about you.” It also apparently knows how to let all that knowing flop around, unprotected, on the internet.

As TechCrunch reported on Tuesday, Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently stumbled across a massive database – TechCrunch’s Zack Whittaker reported that it contained 161 million records “and growing” as of the time he published his report – on one of the movie ticket subscription service’s subdomains.

Up for grabs were mundane logging messages, but the exposed records also included critical data, including customer card numbers and personal credit cards of some subscribers. There were 58,000 subscribers’ cards exposed as of Tuesday, and the number was growing.

Real Life. Real News. Real Voices

Help us tell more of the stories that matter

Become a founding member

And as Whittaker explains, MoviePass customer cards are similar to normal debit cards: issued by Mastercard, they store a cash balance, which subscribers can use to pay to watch a catalog of movies. Subscribers pay a monthly fee, and then MoviePass uses this debit card to load the full cost of the movie. The subscriber then uses that MoviePass card to pay for the movie at the cinema.