Sign up for The Paypers newsletter Follow The Paypers on LinkedIn Follow The Paypers on Twitter Follow The Paypers on Facebook
The Paypers, paypers, Insight in payments, News, Reports, Events
 advertisement
Digital Identity, Security & Online Fraud

Customer card numbers exposed by MoviePass security flaw

Thursday 22 August 2019 | 10:33 AM CET

MoviePass, a film ticket subscription service, has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.

A security researcher at cybersecurity company SpiderSilk discovered the exposed database. It contained over 161 million records at the time of writing and growing in real time. None of the records in the database were encrypted.

Many of the records were normal computer-generated logging messages used to ensure the running of the service, according to ZDnet, however many also included sensitive user information, such as MoviePass customer card numbers.

These MoviePass customer cards are similar to Mastercard debit cards that store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of films. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the film at the cinema.

After reviewing some of the exposed records, TechCrunch found that over 5,000 contained unique MoviePass debit card numbers. In addition, they found records containing customers’ personal credit card numbers and their expiry date, which included billing information, including names and postal addresses. Some records, however, contained card numbers that had been masked except for the last four digits. The database also contained email address and some password data related to failed login attempts.

The researcher from SpiderSilk contacted MoviePass chief executive by email, which TechCrunch says it has seen, but did not hear back. It was only after TechCrunch reached out August 20, 2019 MoviePass took the database offline. The database was exposed for months. A threat researcher at cyberthreat intelligence company RiskIQ, found evidence that the database was open from early May 2019.

More: Link
 advertisement
 advertisement
 advertisement
 advertisement