MoviePass’ Latest Stumble: Exposing Users’ Credit Card Numbers and Other Data

It's all because one of the company's servers was not protected with a password.
Cassie Langdon holds her MoviePass card outside AMC Indianapolis 17 theatre in Indianapolis. The startup that lets customers watch a movie a day at theaters for just $10 a month, is limiting new customers to just four movies a month. The move comes as customers and industry experts question the sustainability of MoviePass' business model. Because MoviePass is paying most theaters the full price of the ticket, the service is in the red with just one or two movies in a monthMoviePass Plan Change, Indianapolis, USA - 30 Jan 2018
Darron Cummings/AP/REX/Shutterstock

In the latest turn in MoviePass’ downward spiral, a security researcher has reportedly discovered the movie subscription service had for months left a database of user data exposed, including credit card numbers — all because one of the company’s servers was not protected with a password.

TechCruch reported that the researcher found an unsecured database on one of the company’s subdomains with millions of records that included MoviePass card numbers as well as personal credit card numbers and associated expiration dates, names, and addresses. Some records included enough information to make fraudulent card purchases.

The unencrypted database also appeared to record failed login attempts, registering email addresses alongside failed passwords, the website reported.

The company’s response has left much to be desired.

Mossab Hussein, the researcher at the Dubai-based cybersecurity firm SpiderSilk, emailed MoviePass CEO Mitch Lowe last weekend after discovering the database — he received no response.

Another researcher told TechCrunch he too had discovered the database and contacted MoviePass. He received no reply and the database remained up for months.

MoviePass took the database offline only after TechCrunch reached out for comment Tuesday, according to the website. But it took almost a day after the story was first published for the publication to get a comment in response.

Reached for comment, a company spokeswoman sent IndieWire the same statement.

“MoviePass recently discovered a security vulnerability that may have exposed customer records,” it reads. “After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.”

This is just the latest misstep in the beleaguered service’s short life.

Beginning July 4, the service suddenly went offline for an indefinite period for technical upgrades. It is still in the process of restoring service for some users, according to its website.

Business Insider reported in April the service had only 225,000 subscribers left, a massive decline from the over 3 million users a year before, prompted by changes to the pricing structure and restrictions on usage.

Earlier this month, a Business Insider investigation found that MoviePass manually changed the passwords on accounts it found most active in order to prevent top subscribers from using the service.

It now has a waitlist for new signups for the service, which is advertised at $19.95 a month for one movie a day. It notes that “excessive individual usage” may result in restrictions.

Daily Headlines
Daily Headlines covering Film, TV and more.

By subscribing, I agree to the Terms of Use and Privacy Policy.

PMC Logo
IndieWire is a part of Penske Media Corporation. © 2023 IndieWire Media, LLC. All Rights Reserved.