MoviePass exposed thousands of unencrypted customer card numbers – gpgmail


Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company’s many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real-time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers.

These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.

We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance, when it was activated.

The database had more than 58,000 records containing card data — and was growing by the minute.

We also found records containing customers’ personal credit card numbers and their expiry date — which included billing information, including names, and postal addresses. Among the records we reviewed, we found records with enough information to make fraudulent card purchases.

Some records, however, contained card numbers that had been masked except for the last four digits.

The database also contained email address and some password data related to failed login attempts. We found hundreds of records containing the user’s email address and presumably incorrectly typed password — which was logged — in the database. We verified this by attempting log into the app with an email address and password that didn’t exist but only we knew. Our dummy email address and password appeared in the database almost immediately.

None of the records in the database were encrypted.

Hussain contacted MoviePass chief executive Mitch Lowe by email — which gpgmail has seen — over the weekend but did not hear back. It was only after gpgmail reached out Tuesday when MoviePass took the database offline.

It’s understood that the database may have been exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.

We asked MoviePass several questions — including why the initial email disclosing the security lapse was ignored, for how long the server was exposed, and its plans to disclose the incident to customers and state regulators. When reached, a spokesperson did not comment by our deadline.

MoviePass has been on a rollercoaster since it hit mainstream audiences last year. The company quickly grew its customer base from 1.5 million to 2 million customers in less than a month. But MoviePass took a tumble after critics said it grew too fast, forcing the company to cease operating briefly after the company briefly ran out of money. The company later said it was profitable, but then suspended service, supposedly to work on its mobile app. It now says it has “restored [service] to a substantial number of our current subscribers.”

Leaked internal data from April said its customer numbers went from three million subscribers to about 225,000. And just this month MoviePass reportedly changed user passwords to hobble access for customers who use the service extensively.

Hussain said the company was negligent in leaving data unencrypted in an exposed, accessible database.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussain told gpgmail. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the dataset was exposed for public access by anyone,” he said.

The security researcher said he found the exposed database using his company-built web mapping tools, which peeks into non-password protected databases that are connected to the internet, and identifies the owner. The information is privately disclosed to companies, often in exchange for a bug bounty.

Hussain has a history of finding exposed databases. In recent months he found one of Samsung’s development labs exposed on the internet. He also found an exposed backend database belonging to Blind, an anonymity-driven workplace social network, exposing private user data.

Read more:


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Credit Karma glitch exposed users to other people’s accounts – gpgmail


Users of credit monitoring site Credit Karma have complained that they were served other people’s account information when they logged in.

Many took to a Reddit thread and complained on Twitter about the apparent security lapse.

“First time logging in it gave me my information, but as soon as I refreshed the screen, it gave me someone else’s info,” said one Reddit user. “Refreshed again and bam! someone else’s info — it’s like roulette.” Another user said they logged in and out several times and each time they had “full access to a different random person’s credit file,” they said.

One user told gpgmail that after they were served another person’s full credit report, they messaged the user on LinkedIn “to let him know his data was compromised.”

Another user told us this:

The reports are split into two sections: Credit Factors — things like number of accounts, inquiries, utilization; and Credit Reports — personal information like name, address, etc.. The Credit Reports section was my own information, but the Credit Factors section definitely wasn’t. It listed four credit card accounts (I have more like 20 on my report), a missed payment (I’m 100% on time with payments), a Honda auto loan (never had one with Honda), student loan financing (mine are paid off and too old to appear on my report), and cards with an issuer that I have no relationship with (Discover).

Several screenshots seen by gpgmail show other people’s accounts, including details about their credit card accounts and their current balance.

Another user who was affected said they could read another person’s Credit Factors — including derogatory credit marks — but that the Credit Report tab with that user’s personal information, like names and addresses, was blank.

One user said that the login page was pulled offline for a brief period. “We’ll be right back,” the login page read instead.

Credit Karma spokesperson Emily Donohue denied there was a data breach, but when asked would not say how many customers were affected.

“What our members experienced this morning was a technical malfunction that has now been fixed. There is no evidence of a data breach,” the statement said.

The company didn’t say for how long customers were experiencing issues.

Credit Karma offers customers free credit score monitoring and reports. The company allows users to check their scores against several major credit agencies, including Equifax, which last month was fined at least $575 million for a 2017 data breach.




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Apple Card can’t be used to buy crypto – gpgmail


Cryptocurrency fans who were hoping to use Apple’s forthcoming credit card to splash on coin are out of luck. You also won’t be able to use the Apple Card to buy lottery tickets, casino gambling chips in any form, physical or virtual, or foreign currency or travelers checks.

Reuters spotted the detail in a customer agreement posted to Apple Card’s card issuer partner Goldman Sachs’ website which lists restrictions on transactions it describes as “cash advance and cash equivalents”.

The agreement defines these as meaning “any cash advance and other cash-like transaction, including purchases of cash equivalents such as travelers checks, foreign currency, or cryptocurrency; money orders; peer to peer transfers, wire transfers or similar cash-like transactions; lottery tickets, casino gaming chips (whether physical or digital), or race track wagers or similar betting transactions”.

Given the wild swings in crypto valuations the Apple+Goldman credit tie-up saying a firm ‘no’ to cardholders splashing on such shaky stuff is hardly surprising.

Apple announced it was getting into the credit card game back in March, saying the card would offer a 2% cash back incentive for using Apple Pay to make purchases. (The physical version of the Apple Card is slightly less generous vs the digital card.) While if you’re buying stuff direct from Apple there’s 3% cash-back.

There are also no late fees and no penalty rates. Interest rates for Apple Card are in the range of 13-24%, based on the user’s creditworthiness.

As with Apple Pay, there’s a privacy promise too — with a pledge that Apple Card transaction data won’t be sold for advertising or marketing, not by Apple, Goldman or any other partners. Though data may be shared with regulators for financial reporting purposes and so on.

The Apple Card is due to be released in the US next month.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Capital One’s breach was inevitable, because we did nothing after Equifax – gpgmail


Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told gpgmail at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something