MoviePass, the theater subscription service that still inexplicably tries to stay in business, left thousands of customers' credit card numbers and other sensitive data information that could be exposed to an online database, according to a report by TechCrunch . A cybersecurity expert named Mossab Hussain, from a Dubai-based company called SpiderSilk, discovered the unprotected server and shared sample datasets with TechCrunch to confirm that MoviePass actually left the data unencrypted and accessible to everyone.
According to TechCrunch the data includes both MoviePass debit card numbers and actual personal credit card information for customers, including credit card numbers, expiration dates, billing addresses, and names. TechCrunch states that in some cases the data was enough to make fake credit card purchases using someone else's card. The report also tells how Hussain found email addresses and failed login data logged on to the unprotected server, and TechCrunch tested this by making a failed login attempt using a dummy account. The database showed the information, unencrypted, "almost immediately."
It is not clear that any of this information was ever collected or disseminated by a malicious third party. However, Hussain's findings about the state of MoviePass security are deeply disturbing. Given the mountain of controversy MoviePass has faced in the past, it's easy to see how cybersecurity can fall by the wayside. But the level of obvious disregard here means that thousands of MoviePass customers have been exposed to fraud and identity theft.
According to TechCrunch Hussain reached the company about the unsecured server and received no response. Only when TechCrunch contacted the company earlier today did the database seem to be taken down.
"We continue to see companies of all sizes using dangerous methods to maintain and process private user data," Hussain told TechCrunch in an interview. "As far as MoviePass is concerned, we question why internal technical teams will ever be allowed to see such critical data in plain text ̵
In case you have not followed the MoviePass destruction of late, the company's subscriber base has plunged by about 90 percent from the high of 3 million in mid-2018, after which company management discovered they could not reliably afford full price cinema tickets on pace and volume of customers asked for them. As a result, MoviePass and its parent company, a data analytics company called Helios and Matheson, came up with seemingly all imaginable ways to stay in business, from accepting and reintroducing a variety of versions of their subscriptions, blacking out certain movies and theaters and pulling out a number of shady tactics around plan cancellation and automatic renewal.
Recently, MoviePass literally quit its app and turned black in early July. CEO Mitch Lowe said at the time that the company had to completely renovate the service, and it has pledged not to charge monthly subscribers during the period and to credit customers for the lost time. More than a month later, the company's website reads at the moment: "The MoviePass service has been restored to a significant number of our current subscribers, and we hope to take steps to restore the service to all of our current subscribers." During the downtime, MoviePass did not accept new subscribers.
MoviePass does not have a press line to reach. An email that was sent to the marketing URL bounced back, and a request for comment sent to a former public relations spokesperson who has represented MoviePass previously was not immediately returned. The Verge is currently trying to figure out how we can best contact the company for comment, and we will update this article when or if we hear back.