
MoviePass database exposes 161M records - LinuxBender
https://www.scmagazine.com/home/security-news/moviepass-database-exposes-161-million-records/
======
ziddoap
With the billions of records breached this year alone, I'm feeling quite
apathetic to these stories now.

Thousands or millions of records are breached due to X (usually egregious
negligence, sometimes not), the company makes an apology full of mental
gymnastics, blame game, and bold lies ("Your privacy is our number one
concern, we're sorry we are only pretending to care now."), a few days later
the heat is off because another company let loose a few million other records.
Repeat.

I feel like I need to be re-sensitized. This is a major problem - and I just
can't seem to muster up any care for it anymore.

~~~
soulofmischief
Everyone has an opinion on why Amazon is a monopoly and should be broken up,
but this is what they don't think about. I _trust_ Amazon not to get breached.
No one is infallible, but tech is their _thing_.

I have no interest however, in further increasing the amount of online
shopping accounts I maintain, because that means I have to keep tabs on the
shenanigans of even more, highly technically incompetent, companies to know if
I've been compromised.

~~~
symlinkk
Just use a password manager so you can have a different password for each
site. It's not that hard.

~~~
jvagner
The article points out that MoviePass had user and credit card data in plain
text. A password manager wouldn't have helped with that.

~~~
checker
The credit agencies are supposed to protect cardholders via PCI DSS audits
(see
[https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...](https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf)).
This is definitely non-compliant. Obviously this system is broken.

Additionally, I don't understand why companies continue to roll their own
payment processing rather than paying a service that knows how to do it. I
guess it seems easy...

~~~
nineears
PCI DSS is a program of the card associations to protect the _issuing banks_
from fraud losses. Merchants have difficulty complying so it ends up as a
balancing act between keeping the wheels of commerce moving and preventing
fraud.

Fully outsourced payment solutions are a good fit for some business models but
not for others.

~~~
AdieuToLogic
Great post.

One thing I would add is that PCI DSS is also applicable for ISO's as well
VAR's which operate payment processing gateways.

------
minimaxir
Blogspam of [https://techcrunch.com/2019/08/20/moviepass-thousands-
data-e...](https://techcrunch.com/2019/08/20/moviepass-thousands-data-exposed-
leak/) (which I did submit
[[https://news.ycombinator.com/item?id=20752190](https://news.ycombinator.com/item?id=20752190)]
but didn't get many upvotes, hmrph)

------
creaghpatr
I thought MoviePass was already deep in the red. What incentive do they or any
company have to protect their data if they are imminently going bankrupt? I'm
guessing cybersecurity is not their most pressing concern, although maybe it
is now.

~~~
goatinaboat
Their customer database was probably the only asset of value they had.

~~~
jonknee
Is a list of people who like to pay less than face value for movie tickets
valuable?

~~~
bduerst
Yes. It's a list of price-sensitive consumers who historically respond well to
perceived discounting.

General rule of thumb for spam email is 0.1% conv rate, so if you blasted this
leak list then you'd have 150K sign ups.

~~~
freewilly1040
What’s the marginal value of this kind of list though? Call me cynical but I
would assume data of a similar type and quality is already readily available

~~~
bduerst
None really. Keep in mind any list dumps you can easily find online have
already been pillaged thoroughly.

There is an entire data broker industry that relies on selling lead/contact
information, so if anything there is a value savings on the hack. I've seen
high quality contact (and assoc. company) data sell anywhere from $3 to $120.

------
fitzroy
If I want a trip down memory lane, I can just check the data breach section of
CreditKarma and see a chronological history of all of my passwords from the
last 25 years.

At this point, I'd join a social network that matched me with all of the
people around the world that also used the same "clever, obscure" passwords.

------
reilly3000
Why are they storing credit card numbers in a database in the first place?
This should fall under PCI-DSS if so.

------
SilasX
So ... twenty years of free credit monitoring, then?

------
nfRfqX5n
unfortunately this is just becoming the norm and companies aren't held
accountable for losing data. every account i make now is with a catchall
domain and a randomly generated password

~~~
umvi
> unfortunately this is just becoming the norm and companies aren't held
> accountable for losing data

How would a company be held accountable for losing data? Fining them? Paying
out to users?

~~~
Thriptic
Pass a law that says every lost user account is an X dollar fine based on data
"richness" that can't be discharged in bankruptcy. For simplicity, let's say
$10 in this case. 160 million lost accounts is now a 1.6 billion dollar fine.
That is enough to cripple a lot of companies. It would make people think long
and hard about what data they wanted to keep and how they wanted to secure it.

Alternatively, create a situation where companies are responsible in
perpetuity for damages related to identity theft if a victim's credentials are
lost. If company X loses my SSN and then someone opens up a fake account in my
name, they are automatically responsible for any costs I incur and I don't
have to prove attribution.

The purpose should be to heavily, heavily disincentivize any storage of basic
data or PII unless absolutely necessary.

~~~
umvi
Yes, that would also make it really easy for individuals/corporations/state
actors/etc. to destroy companies: secretly employ security researchers that
compromise your target's database and bam, you've just crippled/ruined them.

China tired of US putting pressure on Huawei? Bam, start targeting American
companies and totally financially ruin them using their own privacy laws/fines
against them!

Disgruntled suicidal employee has a grudge? Take down the whole company on
your way out with that backdoor time bomb you planted and let the $1.6B fine
do the rest!

~~~
Jweb_Guru
You know that there are other industries that have heavy regulatory fines like
this, right? The existence of a software culture where a single rogue employee
can easily destroy the privacy of hundreds of millions of people is _itself_ a
huge part of the security problem. If there were actual consequences for this
kind of thing there would be a lot of changes to software development
practices. I'm not saying that culture alone will make code perfectly secure,
but I do think _caring_ about the code being secure (in the sense that the
company will face deep financial and legal trouble if it isn't) is a necessary
prerequisite. Arguably, it's the _only_ thing that works.

You may argue that you can't just buy absence of security bugs with money and
a different culture, but there are plenty of formal verification tools out
there, and they are not all toys. True, verified code is expensive compared to
writing "normal" software, which is developed using the same best practices"
that lead to a data breach being announced seemingly every other day. But it
is quite cost-competitive with "high assurance" software (i.e. software
developed when people face real consequences for the existence of bugs) and
the techniques have been used to secure a number of nontrivial real systems by
now. I have absolutely no doubt (as someone who's in the field) that we would
see a huge boost to the state of the art in that field if there were actual
money in it, especially considering how much of the current difficulty with
using formal verification comes down to the lack of user-friendly tooling.

But, to reiterate, my larger argument isn't really about formal verification;
I'm mostly bringing it up to refute the argument that the existence of bugs is
something totally outside of any company's control. Ultimately companies are
currently choosing not to pay to make their code secure, and it's not hard to
see why given the current legal climate of "there are no consequences
whatsoever." Ideally, the first step towards fixing this would be for the
software development community at large to acknowledge that it is, actually, a
choice, but frankly I don't see things happening that way. If a move towards
not just safer, but genuinely bug-free (or at least, bug-free outside of
hitherto undiscovered exotic side channels) software is going to happen at
all, it'll be because a large government drags its country's unwilling
programmers and CEOs in that direction.

------
jammygit
As usual, I want to ask: what are your favourite resources for security? These
breaches seem like a good opportunity to share knowledge.

I like the OWASP content. Google Gruyere is also really nice for xss imho

------
leowoo91
In what scenario, a system without a db password could possibly be designed
for new startups?

------
crispyporkbites
It wasn’t 161m customers that were exposed, it was 0.058m

Pretty big difference to what the headline implies

~~~
ziddoap
Headline is accurate. 161M records were in the database. They have evidence
that _at least_ 60,000 of the records accessed had credit card data attached.

> _161 million records was left unsecured and _exposed credit card and
> customer card information on at least 60,000 of the ticket service’s
> customers_._

------
largote
We need a GDPR equivalent in the US. That's the only way this will change.

~~~
mychael
No thanks. Thats a solution worse than the problem.

------
lotaezenwa
Sounds like an insurance scam

