On Tuesday TechCrunch reported that security researcher Mossab Hussein, with the company SpiderSilk, found an exposed, unencrypted MoviePass database with millions of records. Some of these included custom debit card numbers used when subscribers purchase tickets, while others listed the customer's personal information, including credit card numbers, expiration dates, and billing information. Another researcher had located the vulnerable information back in July and notified the company, but none of them were able to get answers, while another found evidence that the database had been public since May this year.
MoviePass took the database offline yesterday after the report, and today finally responded publicly with a statement from a spokesperson.
MoviePass recently discovered a security vulnerability that may have exposed subscriber listings. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this event seriously and is dedicated to protecting the subscriber's information. We work diligently to investigate the extent of this incident and its potential impact on our subscribers. Once we have fully understood the incident, we will immediately notify all affected subscribers and appropriate regulators or law enforcement.
The company put its services "on hold" in July while saying they were working on their app, but could not close this security hole ̵[ads1]1; despite apparent attempts at notifications before restoring access "to a significant number of our current subscribers. "