Came tumbling, tumbling.
MoviePass has been, possibly, my favorite slow-motion trainwreck to spectate in my time writing here. And this time, they’re back in the news. Why? Shitty data security, of course!
Per TechCrunch, they apparently left the records of 58,000 subscribers on a completely unprotected public server. Just like that now famous cake in the rain.
And before long, they were cloning DNA
Security researcher Mossab Hussein of SpiderSilk found a database on a MoviePass subdomain that held some 160,000,000 records on a completely unsecured server. Among those, 58,000 were records with customer information, including that of their MoviePass cards. But it wasn’t just that; it also held their personal info: credit card information, names, addresses.
It also contained email, as well as all passwords that user had used; including those with typos. From the TechCrunch article:
The database also contained email address and some password data related to failed login attempts. We found hundreds of records containing users’ email addresses and presumably incorrectly typed passwords — which was logged — in the database. We verified this by attempting to log into the app with an email address and password that didn’t exist but only we knew. Our dummy email address and password appeared in the database almost immediately.
According to cyberthreat intelligence firm RiskIQ, the database was first discovered by them as publicly accessible and unprotected sometime in June.
Honestly, I’m surprised they’re still somehow standing. I kinda figured they’d die last year. They keep somehow shoveling more money into it even though the writing’s on the wall. Either way, I can’t imagine it’ll be long now. I’ll have something special prepared for the funeral.
Source: Gizmodo
About Author
