MoviePass on Wednesday confirmed a security issue may have exposed customers’ records.
In a statement, MoviePass said a security lapse was recently discovered and its system was immediately secured. Reports of the data breach first surfaced Tuesday.
The breach is believed to affect tens of thousands of customers, according to TechCrunch, which first reported the news. But MoviePass did not confirm the number, stating it is still investigating the scope and will notify affected customers eventually.
The breach was discovered by Mossab Hussein, a security researcher at SpiderSilk, a cybersecurity firm in Dubai, the report said. Hussein confirmed to CNN Business the database he found contained millions of entries, some of which had sensitive data such as MoviePass customer card numbers.
MoviePass customers are issued cards that function like debit cards. Customers pay a monthly subscription fee to watch a maximum of one movie a day. MoviePass loads the full cost of a movie onto their card and the cash balance can then be used to pay for movies at theaters.
In 2017, MoviePass changed its business model to offer a plan with a monthly price of $9.95, which entitled customers to watch one movie a day. It surged in popularity, but it was forced to briefly stop running when it ran out of money. It has since resumed service but has continued to face challenges.
Hussein told CNN Business that when the data was discovered, he emailed MoviePass CEO Mitch Lowe to report it. When he didn’t hear back after a few days, Hussein reached out to TechCrunch.
“We feel the average customer should have the right to know about such incidents ASAP, and as transparently as possible,” Hussein said.
MoviePass said it would continue to disclose information about the incident.