MoviePass members have reason to be concerned with the service. A security researcher from SpiderSilk named Mossab Hussein has announced that he found a major flaw in MoviePass servers. The flaw exposed a database that contained 161 million records and it is still growing in real-time. The researcher says the many of the messages in the database were routine computer-generated logging messages.
However, many of the entries included sensitive user information like MoviePass customer card numbers. MoviePass customer cards are like debit cards and are issued by MasterCard. TechCrunch reports that it reviewed 1,000 entries from that log and a bit over half of them contained MoviePass customer card numbers.
Information contained in the messages included the MoviePass debit card number, expiration date, card balance, and when the card was activated. The database contained more than 58,000 records containing card data. To make matters worse, among the data in the database was customer personal credit card numbers and the expiration date, along with data on billing information, names, and postal addresses.
Some of the entries in the database did contain credit card numbers that had been masked except for the last four digits. The logs in the file also included email addresses and failed passwords from users attempting to log into their accounts. None of the data in the database was encrypted. MoviePass CEO Mitch Lowe was contacted via email by the security researcher to tell him about the breach, but Lowe never responded. The database remained up and visible until yesterday.
This isn't the first time that MoviePass users were concerned with privacy; MoviePass promised that it wouldn't monetize users' location data.