An exposed database on a MoviePass subdomain
housing 161 million records was left unsecured and exposed credit card and
customer card information on at least 60,000 of the ticket service’s
customers.
The database, which included expiration dates,
names and addresses on some users as well as email and passwords, was
discovered by SpiderSilk security researcher Mossab Hussein, according to a report
from TechCrunch, which said the information may have been exposed for several
months.
“Because a database
was left publicly accessible, reportedly for months, at least 58,000 records
related to MoviePass customers are vulnerable to misuse and abuse at the hands
of cybercriminals,” said Stephan Chenette, Co-Founder and CTO at AttackIQ. “At its peak, MoviePass boasted more than 3
million customers in June 2018, so it’s entirely possible we’ll see the number
of impacted individuals grow exponentially.”
And while it’s a “bit
unclear how many of these records included sensitive consumer data,” said Jumio
President Robert Prigge, “what we should all expect is that a healthy chunk of
this data will ultimately find a happy home on the dark web.”
Because “technically,
this breach can be interpreted as the company giving away customer data for
free” and because the exposed data included personally identifiable information
and payment card details, it leaves “impacted customers vulnerable to future
fraud or phishing attacks,” said Arkose Labs CEO Kevin Gosschalk.
The once rapidly growing, but often
financially challenged, MoviePass popped up last year to great fanfare,
attracting millions of customers who pony up a monthly subscription fee and use
MasterCard-issued debit cards to pay for movie passes.
“Unlike credit cards, debit cards don’t offer
the same protection to customers. When a fraudulent transaction occurs on your
credit card, you have lost no money and the issue will never impact your bank
account. With a debit card, your bank account balance is directly affected from
the moment the fraudulent transaction takes place. While the customers can put
a hold on their cards, timing is the key in these types of situations. As
this database was left publicly accessible, reportedly for months,
companies must learn from MoviePass’s mistake and implement a proactive
approach to fraud prevention that safeguards their customers’ data.”
Adam Laub, CMO at STEALTHbits Technologies, sees “two separate, yet closely related components” to the MoviePass breach. “On one side you have a database rich with sensitive, personally-identifiable information that is readable in plaintext,” he said. “On the other, you have a misconfiguration that allows anyone with internet access to view that information. Which is worse?”
Laub said if the data had “been masked, the
information would still be accessible, but perhaps not so immediately valuable”
but “if access rights were configured properly and appropriately, this
discovery might never have been made and there would be no story in the first
place.”
Both are problematic. “A layered approach to
security is the ideal scenario, but either could have conceivably been enough
to make this a non-issue,” he said. “While convenient to say in light of this
particular situation, organizations of any type or size can drastically
mitigate their risk of finding themselves in these types of situations by
focusing their time on locating and limiting access to the data attackers would
be most interested in, as well as verifying desired configurations are being
adhered to across all devices and information assets.
MoviePass had trouble keeping pace with its rapid growth and has reportedly seen a drop in membership to fewer than 225,000 subscribers. The movie subscription service could see its reputation – and financial future – continue to dive after this latest incident, which came at a particularly crucial juncture following a series of unfortunate events. “MoviePass reportedly obstructed its customers from buying tickets by forcibly changing user passwords in April 2019,” said Ben Goodman, senior vice president of global business and corporate development at ForgeRock. “According to a recent survey from PwC, 87 percent of consumers take their business elsewhere if they do not trust a company is handling their data responsibly, so it will not be surprising if affected customers take their business to alternative services like Regal Entertainment’s Regal Unlimited instead.”
