MoviePass confirmed a data breach that exposed customer data on an unprotected database. The incident included credit card numbers
Researchers discovered the database online on a subdomain of MoviePass with no password protection. The subdomain contained 161 million records. At least 58,000 records on the database contained customer card and credit card information, as well as names, email addresses, and what appears to be password data from failed login attempts.
Multiple security experts and researchers identified the exposed database and attempted to contact MoviePass, but were apparently ignored. The database itself was online and accessible since at least May 2019.
“MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident,” said MoviePass chief executive Mitch Lowe.
“In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the data set was exposed for public access by anyone,” said Mossab Hussein, one of the researchers who found the database.
Read more about the storyhere.