Ticketing app and ongoing shitshow MoviePass has been burning through whatever could possibly remain of its finances at an incredible rate—when last the imploding startup was in the news, it was because it reportedly tried to prevent users from actually using it by changing their passwords and barring them from certain screenings. Leaked internal data in April showed that the company was down to 225,000 subscribers from its peak of three million. Its parent company, Helios & Matheson, took the app offline in July for some vaguely defined “updates,” and it has been inaccessible since. Now, according to a report in TechCrunch, it’s going to have to explain how it left some 58,000 users’ customer card details exposed on a database accessible to the entire internet.
According to TechCrunch, security researcher Mossab Hussein of Dubai-based SpiderSilk found that a database on a MoviePass subdomain containing some 161 million records was left exposed to the wider internet. Contained in said database were an estimated 58,000 records containing information on MoviePass customer cards, which are used to store cash balances, TechCrunch wrote:
These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.
We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated... The database had more than 58,000 records containing card data—and was growing by the minute..
TechCrunch added that the database also exposed “records containing customers’ personal credit card numbers and their expiry date—which included billing information, including names and postal addresses.” In some cases that would constitute enough information to make fraudulent purchases, according to TechCrunch and Hussein. TechCrunch also reported that the database contained “hundreds of records containing users’ email addresses and presumably incorrectly typed passwords”; when TechCrunch attempted to log into the database using a fake email address and password, it not only immediately gained access but observed that the fake login credentials were now part of its data set.
It was only when TechCrunch reached out to MoviePass on Tuesday that the company took the database offline, despite previous attempts by Hussein to reach the company over the weekend.
“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussein told TechCrunch. “... In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext—let alone the fact that the data set was exposed for public access by anyone.”
According to TechCrunch, while it is unclear how long the information was exposed, cyberthreat intelligence firm RiskIQ first discovered the database was accessible “in late June.”
About the best that can be said of this is that this round of MoviePass recklessness is at least less aggressive than the service’s behavior in fall 2018, when it reportedly re-enrolled customers who declined to opt into less generous subscription packages and started charging their cards again. Earlier this year, co-founder Stacy Spikes (who is no longer with MoviePass) said the $10-a-month, unlimited subscription plan that vaulted the company to prominence in the first place was never supposed to be more than a promotional deal.