TechCrunch reported on Tuesday that Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently stumbled across a massive database. TechCrunch’s Zack Whittaker reported that it contained 161 million records “and growing” as of the time he published his report.
The data contained logging messages with nothing interesting, but there was exposed records that included critical data, including customer card numbers and personal credit cards of some subscribers. There were 58,000 subscribers’ cards exposed as of Tuesday, and the number was growing.
MoviePass customer cards are similar to normal debit cards. They are issued by Mastercard, they store a cash balance, which subscribers can use to pay to watch a catalog of movies. Subscribers pay a monthly fee, and then MoviePass uses this debit card to load the full cost of the movie. The subscriber then uses that MoviePass card to pay for the movie at the cinema.
It turns out that somebody neglected to protect a critical server with a password and none of the sensitive data was encrypted.
It was only after TechCrunch contacted MoviePass on Tuesday that the data was taken offline.