Bad news for tens of thousands of customers using movie ticketing service MoviePass. Many may have had their credit card details stolen as an unsecured database visible online containing 161 million records was discovered. This discovery, reported Tuesday by TechCrunch, involved a live database that contained customer details and transaction information.
Of a sampling of 1,000 records analyzed, after excluding duplicates, aproxamently half contained MoviePass customer card numbers, while a small percentage hold actual credit card numbers. MoviePass customer cards are debit cards issued by Mastercard that customers use to purchase movie tickets at the theater.
The database was exposed for months. Yonathan Klijnsma, threat researcher at cyberthreat intelligence firm RiskIQ, found evidence that the database was open from early May. Then, after we published this story, security researcher Nitish Shah told TechCrunch he also found the exposed database months earlier. “I even notified them, but they [didn’t bother] to reply or fix it,” he said. He provided a screenshot of the exposed database for proof, which we verified.
Both MoviePass customer cards and users credit cards, exposed in the database included the card number, expiration dates, cardholder name and billing address, all in plain text. Making the matter worse, MoviePass failed to take down or secure the database when first informed of the breach. The company only took action after TechCrunch contacted them.
This all looks bad, because it is bad. MoviePass left a database, reportedly for months, containing data of at least 50,000 credit cards of MoviePass customers, publicly accessable and unincripted. In June 2018, MoviePass had over 3 million customers, so it’s possible even more individuals are inpacted.
Dubai-based security researcher Mossab Hussein speaking to TechCrunch explained that he found the exposed database using custom made web mapping tools, to peek into non-password protected databases connected to the internet, and identifie the owners.
2019 A year of Data Breaches
2019 has been a big year for data breaches. According to the 2019 MidYear QuickView Data Breach Report, the first six months of 2019 have held over 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records.
Cyber-criminals often use automated online scripts like Hussein’s to scrape up any exposed data by looking for unsecured databases. While the MoviePass data breach is making headlines now, it didn’t for months and companies of all sizes need to make security a priority.
According to the report the business sector accounts for 67% of the reported breaches and 84.6% of the exposed records. The report also found that: 149 of the 3,813 incidents reported this year, involved misconfigured databases and services, and exposed over 3.2 billion records.
It’s tepmpting to say “MoviePass, is fat arrogant and left you exposed” and that would apear to be true, but MoviePass is far from alone.