A critical server unprotected by a password has apparently left important MoviePass customer information exposed, TechCrunch reports. Up to 58,000 records containing card data was apparently found in the exposed database.
According to the report, many of the records included MoviePass customer card numbers:
These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.
More worryingly, some of the records revealed customers' personal credit card numbers, along with billing information, addresses, and names. TechCrunch claims the exposed database included enough information for someone to make a fraudulent card purchase.
That's not all that was left exposed:
The database also contained email address and some password data related to failed login attempts. We found hundreds of records containing the user's email address and presumably incorrectly typed password — which was logged — in the database. We verified this by attempting log into the app with an email address and password that didn't exist but only we knew. Our dummy email address and password appeared in the database almost immediately.
None of the records in the database were encrypted.
TechCrunch's report says the database may have been exposed for several months; it has since been taken offline. The publication said it reached out to MoviePass for comment but a spokesperson did not get back.
If you're a MoviePass subscriber and want to cancel your account, check out this guide.