The card information was both credit card numbers and MoviePass card numbers. The MoviePass cards are MasterCards with balance loaded on that customers then use to go to see a film at the cinema. It’s pretty antiquated – much like MoviePass’s security measures.
TechCrunch, who saw the database, said 58,000 records contained card numbers. While some credit card numbers had some of the numbers masked, there were several records that it found where someone could easy make purchases, all from a database completely unencrypted and hosted online.
TechCrunch also reported that Hussein emailed the CEO of MoviePass Mitch Lowe to explain his findings, as did another threat researcher. After publication, a third person contacted the outlet to say they had notified the company of the exposure ‘months earlier’, but had received no reply, and the hole was not plugged.
“MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement,” said Lowe in a long-overdue statement.
This is just the latest in several years of high-profile data leaks from companies that don’t have adequate encryption and security measures. Famously the infidelity match up site Ashley Maddison was exposed in 2015, leading to the leaking of thousands of members’ names.