Subscription-based movie ticketing firm MoviePass has exposed the credit card data of tens of thousands of its users due to an unprotected server.
Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database, which contained more than 161 million records, on one of the company’s many subdomains.
The numbers from MoviePass customer cards, which are issued by Mastercard and store a cash balance, have been potentially uncovered.
The database had more than 58,000 records containing card data, and TechCruch said it discovered customers’ personal credit card numbers and their expiry date — which included billing information, names and postal addresses.
The database also contained email addresses and some password data related to failed login attempts.
Hussein contacted MoviePass chief executive Mitch Lowe by email last weekend but did not hear back. It was only after TechCrunch reached out Tuesday when MoviePass took the database offline.
Lowe told TechCrunch: “MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident.
“MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.”