Movie ticket subscription service MoviePass store customer credit card numbers in plain text on an exposed server (via TechCrunch).
Security researcher Mossab Hussein found an exposed MoviePass database on one of its subdomains. It had 161 million records and growing in real time. MoviePass has its own card that works like a debit card. Customers can load it with cash and use it to subscribe.
We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers…We also found records containing customers’ personal credit card numbers and their expiry date — which included billing information, including names and postal addresses. Among the records we reviewed, we found records with enough information to make fraudulent card purchases.
Also in the database were email addresses and data related to failed login attempts. Mr. Hussein emailed MoviePass CEO Mitche Lowe. He didn’t hear back, but over the weekend the database was taken offline.