MoviePass Exposed Thousands of Unencrypted Customer Card Numbers

New submitter sizzlinkitty writes: Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company's many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service -- but many also included sensitive user information, such as MoviePass customer card numbers. These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies.

Reset passwords

[Synonymous Cowered]

Oh darn, their server was hacked. I guess they're gonna have to reset passwords again.

Re:

[Tablizer]

Yes, your "123dontHackMe" was too easy to guess.

Re:

[Synonymous Cowered]

I was referring to this story from a few weeks ago: https://entertainment.slashdot... [slashdot.org]

I use Acerose password vault,

[Trax3001BBS]

it's got a serious security problem in that all it's back-ups are in plain text. But it's what I started with and allows me to use a different password for each site.

Re:

[Anonymous Coward]

Move to KeePass. You will be glad you did.

No, no they dont

[OverlordQ]

These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies.

They carried no balance until you checked-in to a movie.

Re:

[Synonymous Cowered]

Oh crap, it didn't sink in about exactly what these card numbers were. I never used MoviePass, but I take it what you are saying is that to use MoviePass, you need to pay with a specially issued credit card...the one which was just compromised? Screw my joke above about them resetting passwords to lock customers out ( in reference to this: https://entertainment.slashdot... [slashdot.org] ), now they just can revoke the cards completely and take their sweet time reissuing them.

Worse than password reset scenarios

[HussDelRio]

From TFA: "We found hundreds of records containing users’ email addresses and presumably incorrectly typed passwords — which was logged — in the database." This goes beyond password reuse problems: if you accidentally entered a password for your financial institution and use the same email address, you may not even think to change that password (even if that password is totally unique). This one is going to bite a few people and they may never even realize how/why.

Re:

[Synonymous Cowered]

I know I've done that with websites before and immediately thought "oh shit, I hope these dumbasses aren't logging bad passwords".

Re:

[Oswald McWeany]

I know I've done that with websites before and immediately thought "oh shit, I hope these dumbasses aren't logging bad passwords".

I know everyone on Slashdot hates Paypal, but I try to pay with paypal anywhere online rather than a credit card. I cringe when I can't. With paypal I'll know sooner of any unauthorized payment because I have the e-mails automatically generated; and I can keep online stuff separate from in-person payments.

Value-limited, single-vendor virtual credit cards

[ZipK]

A good reason to use a virtual credit card which can only be charged by a single vendor.

https://www.creditkarma.com/cr... [creditkarma.com]

Plans...

[sconeu]

I guess their security plan was written by the same guy that wrote their business plan...

Re:

[Opportunist]

My main question is the "guy" here.

My money is on "monkey".