MoviePass, the company that just keeps getting worse, allegedly left a database unencrypted that exposed thousands of credit card numbers belonging to its users. A report published last month by TechCrunch revealed that the company kept a database full of private data unencrypted, making it easily accessible to hackers looking to acquire user data and financial information. This report comes after the company shut down its service in July.

User Debit and Credit Card Numbers Exposed

With the help of TechCrunch, a security researcher named Mossab Hussein that works for a cyber-security firm in Dubai called SpiderSilk found the exposed database in August. But some researchers report finding access to the information going as far back as May—before the company shut down and never started back up again. A database that held user information was left unencrypted, allowing for anyone with the computer skills to be able to access sensitive data such as user credit cards, and the debit card numbers of Movie Pass cards that belonged to thousands of users.

In the report, TechCrunch outlined that it was able to obtain enough credit card information from hundreds of users to be able to make a fraudulent purchase. While some information only contained things like the last four digits of a users credit card number, others contained the full 16-digit number, the expiration date, and the zip code of the credit card owner. The report also clarified that the information was updating at a constant rate. This suggests that more credit card information was being added to the database by the minute.

In other parts of the database, TechCrunch reporters were able to get ahold of the debit card information for thousands of MoviePass debit cards. The cards, which are distributed through MasterCard and work like a prepaid debit card, are loaded each time the user requests to see a screening of a certain film at a participating MoviePass Theater. While the debit cards are never loaded with more than a couple of dollars at a time, they are connected to each individuals’ account.

MoviePass’ Response

Different reports of the data breach circulating the web suggest that MoviePass has been aware of the unencrypted information for months now. However, TechCrunch did not hear back from the company until after reaching out for a second time toward the end of August. The company’s CEO Mitch Lowe, who was previously thought to have been missing in action, did not respond to the media outlet’s first request for comment. The second, however, saw the database get shut down altogether.

MoviePass has not announced when it plans to restart its service, if at all. The service shut down in July with the excuse that it was revamping its user interface to be better than ever, but the reality was that it was simply out of money and had no other option. With such a dark past, it would be sur