Click For Photo: https://www.indiewire.com/wp-content/uploads/2019/04/shutterstock_9644587a.jpg
In the latest turn in MoviePass’ downward spiral, a security researcher has reportedly discovered the movie subscription service had for months left a database of user data exposed, including credit card numbers — all because one of the company’s servers was not protected with a password.
TechCruch reported that the researcher found an unsecured database on one of the company’s subdomains with millions of records that included MoviePass card numbers as well as personal credit card numbers and associated expiration dates, names, and addresses. Some records included enough information to make fraudulent card purchases.
Database - Login - Attempts - Email - Addresses
The unencrypted database also appeared to record failed login attempts, registering email addresses alongside failed passwords, the website reported.
The company’s response has left much to be desired.
Mossab - Hussein - Researcher - Cybersecurity - Firm
Mossab Hussein, the researcher at the Dubai-based cybersecurity firm SpiderSilk, emailed MoviePass CEO Mitch Lowe last weekend after discovering the database — he received no response.
Another researcher told TechCrunch he too had discovered the database and contacted MoviePass. He received no reply and the database remained up for months.
MoviePass - Database - Offline - TechCrunch - Comment
MoviePass took the database offline only after TechCrunch reached out for comment Tuesday, according to the website. But it took almost a day after the story was first published for the publication to get a comment in response.
Reached for comment, a company spokeswoman sent IndieWire the same statement.
MoviePass - Security - Vulnerability - Customer - Records
“MoviePass recently discovered a security vulnerability that may have exposed customer records,” it reads. “After discovering...
Wake Up To Breaking News!