On Tuesday TechCrunch reported that security researcher Mozab Hussein, with SpiderSilk, had discovered an unencrypted MoviePass database with millions of records. Some included their personalized debit card numbers that are used when subscribers buy tickets, while others listed customer personal information, including their credit card numbers, expiration dates, and billing information. Another researcher discovered the vulnerable information back in July and notified the company, but none of them managed to get a response while another revealed evidence that the database was public as of May this year.
MoviePass took the database offline yesterday after which the Report and today finally publicly responded with a spokesman's statement.
Recently, MoviePass has discovered a security vulnerability that may expose subscribers' records. Once we found the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting the information of our subscribers. We are working hard to investigate the scope of this incident and its potential impact on our subscribers. Once we have a full understanding of the incident, we will immediately notify all affected subscribers and the relevant regulators or law enforcement agencies.
The company put its services on hold in July, saying it was working on its application but could not "close this security hole ̵