An exposed database revealed the credit card numbers belonging to thousands of MoviePass customers, according to a new report. The leak is said to have involved more than 58,000 cards, including both the customer cards issued for MoviePass and customers’ personal credit cards. Other exposed data included names, expiration dates, and mailing addresses.
The exposed database was discovered by SpiderSilk security researcher Mossab Hussein, according to TechCrunch. The information was left vulnerable because the server, which is described as ‘critical,’ reportedly didn’t have a password. The customer card numbers were not encrypted.
Tens of thousands of records that included card information were reportedly found in this database, among them being personal credit cards with their expiration dates, names, and billing addresses. TechCrunch says that it found enough details in some of these records to make purchases with the customers’ data.
MoviePass works by issuing users customer cards that function like debit cards, feature the company’s logo, and can only be used at movie theaters. Many of these cards were reportedly left vulnerable by the security issue, as well.
Beyond the financial data, the exposed records reportedly also included some password information related to failed logins, as well as email addresses. According to the report, an attempt to log into MoviePass using a dummy email and non-existent password appeared in this database ‘almost immediately.’ The company reportedly only took the database offline after being contacted by the publication following initial contact by Hussein.