MoviePass Exposes 161M Records

It was recently reported that movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers because a critical server was not protected with a password. The database contained 161 million records at the time of writing and growing in real-time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers. In fact, more than 58,000 records contained card data — and that number was growing by the minute.

Notify of

11 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
InfoSec Expert
August 23, 2019 1:14 pm

As consumers, we expect organizations to do the basics to protect our data. Unfortunately, when they fail to do so, there’s not that much that consumers can really do to put the genie back in the bottle. The data, once compromised, remains compromised.

The payment card industry data security standard (PCI DSS) has been around for more than a decade, and securing a database of card data with a password has been a basic requirement since the first version.

Last edited 3 years ago by Tim Erlin
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
InfoSec Expert
August 22, 2019 5:37 pm

The security of an organisation is only as strong as its weakest link. In this case, one employee made one bad decision that had huge consequences. Even if products and services are created using a secure software development life cycle (SDLC), any victories there are negated when similar security-forward processes are not followed in deployment, operations, and elsewhere within the organization. Meaningful risk reduction occurs only when a security-first approach pervades every area of an organisation.

Last edited 3 years ago by Jonathan Knudsen
Matt Keil
Matt Keil , Director of Product Marketing
InfoSec Expert
August 22, 2019 5:32 pm

The exposure of credit card information by MoviePass along with the discovery of 1M+ user records including emails by are new examples in the increasingly long list of insecure databases due to human error. These mistakes have become so frequent that we, as users, have become numb to the repeated human errors. Where are the checks and balances to confirm the resource is protected? At a minimum, organizations should follow the recommendations outlined here.

Last edited 3 years ago by Matt Keil
Adam Laub
Adam Laub , CMO
Industry Leader
August 22, 2019 6:38 am

There are really two separate, yet closely related components to this story. On one side you have a database rich with sensitive, personally-identifiable information that is readable in plaintext. On the other, you have a misconfiguration that allows anyone with internet access to view that information. Which is worse? Had the data been masked, the information would still be accessible, but perhaps not so immediately valuable. If access rights were configured properly and appropriately, this discovery might never have been made and there would be no story in the first place. The right answer is both, as a layered approach to security is the ideal scenario, but either could have conceivably been enough to make this a non-issue. While convenient to say in light of this particular situation, organizations of any type or size can drastically mitigate their risk of finding themselves in these types of situations by focusing their time on locating and limiting access to the data attackers would be most interested in, as well as verifying desired configurations are being adhered to across all devices and information assets.

Last edited 3 years ago by Adam Laub
Chris DeRamus
Chris DeRamus , CTO and co-founder
InfoSec Expert
August 21, 2019 4:19 pm

Leaving 58,000+ records containing payment card data unencrypted on a publicly accessible database is concerning, however, the fact that MoviePass initially ignored the vulnerability when it was notified is even worse. Misconfigurations like this are frequent, and enterprises should be thankful when white hat security researchers flag vulnerabilities before they can be exploited. Consumers that trusted MoviePass with their data expect their personally identifiable information to be protected with mature security controls. Within the months that MoviePass’ database was exposed, cybercriminals not only could have made fraudulent purchases, but they also could have launched phishing attacks against MoviePass customers to gain access to additional sensitive information.

MoviePass joins Honda, AavGo, Rubrik, Gearbest and countless other organizations this year to fall victim to data leaks via cloud service misconfigurations. The truth is, most companies still lack the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions must be a priority for all companies that are using cloud services. Without these tools in place companies will continue to lack the ability to detect misconfigurations and alert the appropriate personnel to correct the issue or better drive automated remediation in real time.

Last edited 3 years ago by Chris DeRamus
Information Security Buzz
Would love your thoughts, please comment.x