A critical unprotected server belonging to troubled movie ticket subscription service MoviePass exposed more than 160 million records and tens of thousands of customer card and personal credit card numbers
As reported in TechCrunch, Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, discovered the exposed database on one of MoviePass’s numerous subdomains. Many of the records included sensitive user data, such as MoviePass customer card numbers, which function like debit cards are issued by Mastercard and store a credit balance, which users use as payment when making selections from a catalog of movies at theaters.
TechCrunch reported they reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiration date, the card’s balance and activation date. The database had more than 58,000 records containing card data. They also discovered records containing customers’ personal credit card numbers and expiration date, which included billing information such as names and postal addresses — sufficient data to make fraudulent card purchases.
continue reading »