MoviePass Spills Card Info and Passwords From Unsecured Database

Movie subscription service MoviePass is in hot water again this week. This time, it’s emerged that a customer database was open to all.

The unprotected database contained payment-card data, email addresses, passwords and other PII. It also logged failed password attempts, so users’ accounts on other services were at risk.

What a mess. In today’s SB Blogwatch, we schadenfreude it up.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 4on4.


Let’s All Go to the Lobby

What’s the craic, Zack? Mister Whittaker reports—“MoviePass exposed thousands of unencrypted customer card numbers”:

The database was massive, containing 161 million records … and growing. [It] included sensitive user information, such as MoviePass customer card numbers … and personal credit cards.

These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance. … A little over half … more than 58,000 records [contained] card data. … We found records with enough information to make fraudulent card purchases.

The database also contained email address and some password data related to failed login attempts. … We verified this by attempting to log into the app [and] our dummy email address and password appeared in the database almost immediately.

The database was exposed for months. … Security researcher Nitish Shah told [me] he also found the exposed database months earlier. “I even notified them, but they [didn’t] reply or fix it,” he said. He provided … proof, which [I] verified.

MoviePass has been on a roller coaster. … The company quickly grew its customer base [but] took a tumble after critics said it grew too fast, forcing the company to cease operating briefly after the company ran out of money. … Leaked internal data from April said its customer numbers went from three million subscribers to about 225,000.

Yikes. Lisa Vaas adds, “database found exposed”:

 Last year, MoviePass CEO Mitch Lowe gloated about how the company was using subscribers’ data: … “We know all about you.”

Well, to put a rancid cherry on top … MoviePass didn’t just know “all about you.” It also apparently knows how to let all that knowing flop around, unprotected, on the internet.

Was it an esoteric hack that got the database there? A hole in cybersecurity defenses?

Not really. … Somebody neglected to protect a critical server.

And Dave McNary piles on, in, “MoviePass Confirms Security Lapse”:

 MoviePass parent Helios and Matheson Analytics is the target of a securities-fraud probe by the New York Attorney General, which is looking into whether the company misled investors. MoviePass also is the target of a class-action lawsuit by subscribers claiming … a deceptive “bait-and-switch” tactic.

While a super-sweary William Hughes F-bombs it up:

 “Insult to injury” is one of those phrases that gets tossed around a lot in certain circles, enough that it can often feel diluted. … Which leaves us with something of a conundrum tonight, as we struggle to figure out what to call the news [that] digital-Hindenburg MoviePass reportedly left a password off one of its critical servers.

Certainly a ****-up like this, coming from a company like that, is injurious, and, indeed, insulting. But given how consistently crappy MoviePass has treated its customers and employees … a phrase that simple also feels inadequate.

“Adding ****-sult to ****-jury” does feel a little more succinct. … MoviePass issued a statement … presumably investing large reserves of its personal attention and energy into keeping a straight face while pretending to be concerned about having blithely ****ed its users yet again.

But Jason Guerrasio has even more dirt to dish—“How a controversial Florida businessman blew up MoviePass”:

 The company was overwhelmed by its overnight success and couldn’t keep up with demand. A quarter-million new subscribers were signing up every month, and MoviePass customer-service lines were flooded with complaints.

[CEO Mitch] Lowe dreaded the company’s power users, those high-volume MoviePass customers who were taking advantage of the low monthly price, constantly going to the movies, and effectively cleaning the company out. … According to multiple former employees Lowe ordered that the passwords of a small percentage of power users be changed, preventing them from logging onto the app and ordering tickets.

Oh, passwords—I nearly forgot. What was that other thing about passwords? HussDelRio reminds us:

 ”We found hundreds of records containing users’ email addresses and … incorrectly typed passwords.” … This goes beyond password reuse problems: If you accidentally entered a password for your financial institution and use the same email address, you may not even think to change that password (even if that password is totally unique).

This one is going to bite a few people and they may never even realize how/why.

Don’t say you weren’t warned. This Anonymous Coward told ya so:

 There was no rational way for this company to ever turn a profit. They kept hoping that someone would come in and buy them out and never worried about the impossibility of being viable long term.

I never subscribed because honestly, I expected them to fail within the first five months. Idiots keep funding them though so they are still taking money to pretend that their service has a future.

Something should be done! wst_ suggests, uh, something:

 I have a feeling that such omissions should be punishable. High fines or something. Time’s changed, law should change as well.

Meanwhile, Porcupine-Tree grows-spiky:

 How is MoviePass still a thing?

You may well ask. What we need is a colorful metaphor. So coolmanguy obliges:

 It’s like a burning ship carrying dynamite getting bombed.

Or how about this, from logicallee?

 Imagine opening a bank that lets you get free unmetered cash at ATMs, on the theory that it will be like free drinks refills at restaurants, because how much spending money do you really need?

Except, “Ooops, it turns out people really like money.”

And Finally:

Raspberry Pi 4 on the Raspberry Pi 4


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Annca (Pixabay)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi