In a statement dated last Wednesday, August 20, 2019, MoviePass confirmed it compromised security details of customers. The compromised database revealed credit card information.
According to an article by CNN, Mossab Hussein discovered the breach. Hussein works as a security researcher at SpiderSilk, a Dubai-based company specializing in cybersecurity defenses. The report published by the company reveals that millions of MoviePass users became affected by the breach.
With Hussein’s discovery, the researcher told CNN it immediately notified the company about the security flaw. However, having heard nothing from MoviePass, Hussein reported the issue to Tech Crunch.
Based on the report by Tech Crunch, the film subscription business exposed sensitive information due to an unprotected server. The database in question allegedly lacked a password, thus failing to encrypt the thousands of customer information. Part of the exposed details includes customer card numbers and personal credit cards.
Besides card numbers, the server also contained other information, such as billing details and the card’s expiration date. In addition, also found in the system are names of customers and postal addresses of subscribers. Most cases, Tech Crunch revealed that card numbers remained exposed with the exception of the last four digits.
Upon signing up, MoviePass card provides customers with numbers that reportedly function like debit cards, states CNN. These cards and numbers allow users to watch one film a day. Moreover, the card, loaded with a specific amount, may also be used to pay for films shown in theaters.
Threat researcher at RiskIQ, Yonathan Klijnsma, discovered that the database remained open for months prior to MoviePass taking action. Klijnsma found server exposure as early as May 2019, leaving consumer information vulnerable.
Another security researcher named Nitish Shah, reached out to Tech Crunch, saying he found the flaw earlier. However, the company failed to address the issue in a timely manner.
Following the incident, MoviePass announced that it will be taking a hiatus. During this time, the movie theater subscription will update and sort out the security details of its application.
While the business reveals its disappointment, it also “believe[s] [it] will provide a much better experience for our subscribers.” Mitch Lowe, the chief executive officer says, “there’s never a good time to have to do this.” As it aims to address the issue, the subscription service pulled out its app in late July, notes The Verge.
Lowe assured the public they are “working diligently to investigate the scope of this incident and its potential impact.”