It probably shouldn't be too surprising that a company that has a questionable business plan might have questionable security.
The database contained 161 million records, all of them unencrypted, and was still growing when TechCrunch's Zack Whittaker got a look at it. (Most of the records were internal logging data.) Whittaker was able to add a new user record to MoviePass' website and see it appear in the database.
After a failed attempt to contact MoviePass management over the weekend, TechCrunch got through today (Aug. 20) and the database was taken offline.
The fact that the database was accessible over the internet without a password doesn't necessarily mean that anyone noticed before Dubai-based researcher Mossab Hussein found it. (Hussein's company, SpiderSilk, specializes in locating such things.) That's why we're not calling this a data breach -- there's no evidence that any of the information was stolen.
But there's a decent a chance that Hussein wasn't the first to find the exposed database. So if you've given MoviePass your credit-card or debit-card number, you'd better check your statements.
If you're a U.S. resident, you're not likely to be responsible for any fraudulent charges, but you've got to contact the card issuer or bank ASAP if you notice anything suspicious.
The database also contained tens of thousands of customer-card numbers, TechCrunch reported. MoviePass customer cards are essentially debit cards containing customers' MoviePass balances, with which customers pay for movie tickets at cinemas.
MoviePass is an interesting business that offers a limited number of first-run movie tickets for a flat monthly rate that's a steep discount from the normal ticket price. For example, you can pay $9.95 to see three movies, and MoviePass in turn pays the theaters the full price.