Thousands of MoviePass Subscriber & Payment Card Numbers Exposed

A critical unprotected server belonging to troubled movie ticket subscription service MoviePass exposed more than 160 million records and tens of thousands of customer card and personal credit card numbers

As reported in TechCrunch, Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, discovered the exposed database on one of MoviePass’s numerous subdomains. Many of the records included sensitive user data, such as MoviePass customer card numbers, which function like debit cards are issued by Mastercard and store a credit balance, which users use as payment when making selections from a catalog of movies at theaters.

TechCrunch reported they reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiration date, the card’s balance and activation date. The database had more than 58,000 records containing card data. They also discovered records containing customers’ personal credit card numbers and expiration date, which included billing information such as names and postal addresses — sufficient data to make fraudulent card purchases.

Hussain said he contacted MoviePass but did not hear back. It was only after TechCrunch reached out recently that MoviePass took the database, exposed as far back as May 2019, offline.

“MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident,” chief executive Mitch Lowe MoviePass acknowledged in a statement.

The data breach is the latest in a series of issues for MoviePass since its 2017 launch including a forced reset of users’ passwords in April 2019, price and subscription plan changes following a cash crunch for owners Helios and Matheson Analytics, and a drop in its share price. In March, Helios and Matheson admitted the service also had fewer subscribers than previously disclosed.

As with all data breaches and/or events involving personal information and payment cards the risks could extend to credit unions and other financial institutions.

“Unlike credit cards, debit cards don’t offer the same protection to customers. When a fraudulent transaction occurs on your credit card, you have lost no money and the issue will never impact your bank account,” Kevin Gosschalk, CEO, Arkose Labs, pointed out. However, Gosschalk warned there is risk on bank balances from the moment a fraudulent transaction takes place. “While the customers can put a hold on their cards, timing is the key in these types of situations.”

Gosschalk added, Companies must realize that digital commerce is built on data and convenience, “Far too often data breaches occur due to companies leaving their databases unprotected. Unfortunately, MoviePass suffered a breach because of the same severe lapse of security.”

Ben Goodman, CISSP and SVP of global business and corporate development, ForgeRock, said “MoviePass reportedly obstructed its customers from buying tickets by forcibly changing user passwords in April 2019. According to a recent survey from PwC, 87% of consumers take their business elsewhere if they do not trust a company is handling their data responsibly, so it will not be surprising if affected customers take their business to alternative services like Regal Entertainment’s Regal Unlimited instead.” Goodman added, it is critical that all organizations understand the serious risk associated with a breach of customer information.

“Leaving sensitive customer data unencrypted on an exposed database could not have come at a worse time for MoviePass as it is still recovering from a series of unfortunate events like decline in customer base, its forced reset of users’ passwords in April 2019, and the emergence of Regal Entertainment’s competing service,” Vinay Sridhara, chief technology officer, Balbix. Sridhara noted the payment information and other personally identifiable information present in the database is more than enough for threat actors to make fraudulent purchases or even quickly flip this information on the dark web for a premium.

Anurag Kahol, chief technology officer, Bitglass, stated, “The type of data exposed by MoviePass puts customers at risk of highly targeted phishing attacks and identity theft – a position in which no company ever wants to place its customers. What stands out about this incident is the amount and type of data that was stored in plaintext and ultimately was left publicly accessible.” Kahol added companies should always encrypt sensitive data.

Stephan Chenette, co-founder and chief technology officer at AttackIQ, observed, “Because a database was left publicly accessible, reportedly for months, at least 58,000 records related to MoviePass customers are vulnerable to misuse and abuse at the hands of cybercriminals. At its peak, MoviePass boasted more than 3 million customers in June 2018, so it’s entirely possible we’ll see the number of impacted individuals grow exponentially.”

“Another week, another data breach. It is a little bit unclear how many of these records included sensitive consumer data, but what we should all expect is that a healthy chunk of this data will ultimately find a happy home on the dark web, Robert Prigge, president of Jumio. Prigge suggested what is also clear is that knowledge-based authentication should be heavily scrutinized as a reliable means of authentication. “Why? Given that more and more of our supposed shared secrets are now available for pennies on the dark web, the job of the fraudster — especially those focused on account takeovers — just got a little bit easier.”

Chris DeRamus, chief technology officer of DivvyCloud, said, “Misconfigurations like this are frequent, and enterprises should be thankful when white hat security researchers flag vulnerabilities. Within the months that MoviePass’ database was exposed, cybercriminals not only could have made fraudulent purchases, but they also could have launched phishing attacks against MoviePass customers to gain access to additional sensitive information,” DeRamus added. “The truth is, most companies still lack the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis.”