MoviePass Confirms Security Flaw, Reveals Credit Information

United States-based movie subscription ticketing company, MoviePass, recently confirmed a security flaw. The flaw reportedly leaked sensitive customer information, including credit card numbers.

Tech Crunch first disclosed the issue last Tuesday, August 19, 2019, following a series of correspondences with the head security researcher who found the flaw, Mossab Hussein. Hussein works at SpiderSilk, a cybersecurity firm located in Dubai.

In an interview with CNN, Hussein acknowledged the unprotected server contained millions of customer information, including MoviePass customer card numbers. Besides credit card numbers, the database also compromised other data such as user names, postal addresses, and card expiry dates.

According to Tech Crunch, some information also exposed the last four digits of credit card numbers in store. Email addresses and passwords were also compromised during the security breach as none of the data found on the server was encrypted.

About the MoviePass Credit Card

MoviePass provides its customers with its own version of cards that function like normal debit cards. Issued by Mastercard, these cards are loaded with balances customers can use to purchase movies at actual cinemas. Customers may also use the loaded amount to purchase films found on a catalogue.

No Reply

Upon discovering the leak, Hussein immediately contacted Mitch Lowe, chief executive officer of the company. However, the researcher failed to get a reply from the CEO, thereby prompting Hussein to reach out to Tech Crunch. Following Tech Crunch’s correspondence, MoviePass removed the database online, later on acknowledging that the server is safe.

Other cybersecurity researchers also spoke about the issue, including Yonathan Klijnsma and Nitish Shah.

In a statement issued by the company, MoviePass CEO said that they “take this incident seriously and is dedicated to protecting our subscribers’ information.” Once a thorough investigation has been conducted by the firm, they “will promptly notify any affected subscribers and the appropriate regulators or law enforcement,” reports The Verge.