In the latest turn in MoviePass’ downward spiral, a security researcher has reportedly discovered the movie subscription service had for months left a database of user data exposed, including credit card numbers — all because one of the company’s servers was not protected with a password.
TechCruch reported that the researcher found an unsecured database on one of the company’s subdomains with millions of records that included MoviePass card numbers as well as personal credit card numbers and associated expiration dates, names, and addresses. Some records included enough information to make fraudulent card purchases.
The unencrypted database also appeared to record failed login attempts, registering email addresses alongside failed passwords, the website reported.
The company’s response has left much to be desired.
Mossab Hussein, the researcher at the Dubai-based cybersecurity firm SpiderSilk, emailed MoviePass CEO Mitch Lowe last weekend after discovering the database — he received no response.
Another researcher told TechCrunch he too had discovered the database and contacted MoviePass. He received no reply and the database remained up for months.
MoviePass took the database offline only after TechCrunch reached out for comment Tuesday, according to the website. But it took almost a day after the story was first published for the publication to get a comment in response.
We finally have a statement from @MoviePass! It only took 28 hours. It doesn't answer any of our questions. I hope the lawyers were worth it.
— Zack Whittaker (@zackwhittaker) August 21, 2019
Reached for comment, a company spokeswoman sent IndieWire the same statement.
“MoviePass recently discovered a security vulnerability that may have exposed customer records,” it reads. “After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.”
This is just the latest misstep in the beleaguered service’s short life.
Business Insider reported in April the service had only 225,000 subscribers left, a massive decline from the over 3 million users a year before, prompted by changes to the pricing structure and restrictions on usage.
Earlier this month, a Business Insider investigation found that MoviePass manually changed the passwords on accounts it found most active in order to prevent top subscribers from using the service.
It now has a waitlist for new signups for the service, which is advertised at $19.95 a month for one movie a day. It notes that “excessive individual usage” may result in restrictions.