Tens of thousands of customers of movie ticketing service MoviePass Inc. may have had their credit card and customer card details stolen as a database containing 161 million records was discovered unsecured online.

The discovery, reported Tuesday by TechCrunch, involved a live database that recorded customer details as well as their transactions.

Around half the records analyzed, excluding duplicates, were found to contain MoviePass customer card numbers, while a small number actual credit card numbers. MoviePass customer cards are debit cards issued by Mastercard that customers use to purchase movie tickets at the box office.

In the case of both customer cards and credit cards, the exposed database included the card number, expiration dates, cardholder name and billing address all in plain text. Making matters worse, MoviePass failed to take down the database when first informed that it was exposed to all and sundry, only acting when it was contacted by TechCrunch.

“Because a database was left publicly accessible, reportedly for months, at least 58,000 records related to MoviePass customers are vulnerable to misuse and abuse at the hands of cybercriminals,” Stephan Chenette, co-founder and chief technology officer of enterprise security firm AttackIQ Inc., told SiliconANGLE. “At its peak, MoviePass boasted more than 3 million customers in June 2018, so it’s entirely possible we’ll see the number of impacted individuals grow exponentially.”

Anurag Kahol, chief technology officer at cloud access security broker provider Bitglass Inc., noted that the type of data exposed by MoviePass puts customers at risk of highly targeted phishing attacks and identity theft.

“What stands out about this incident is the amount and type of data that was stored in plaintext and ultimately was left publicly accessible,” Kahol added. “Companies should always encrypt sensitive data – even when it is used solely for internal purposes.”

Chris DeRamus, chief technology officer at cloud and container security firm Divvy Cloud Corp., agreed that the data breach was concerning but noted that the fact that MoviePass initially ignored the vulnerability when it was notified is even worse.

“Misconfigurations like this are frequent, and enterprises should be thankful when white hat security researchers flag vulnerabilities before they can be exploited,” DeRamus said. “Consumers that trusted MoviePass with their data expect their personally identifiable information to be protected with mature security controls. Within the months that MoviePass’ database was exposed, cybercriminals not only could have made fraudulent purchases, but they also could have launched phishing attacks against MoviePass customers to gain access to additional sensitive information.”

Image: MoviePass/Apple App Store