MoviePass, the theater subscription service still inexplicably trying to stay in business, left thousands of customers’ credit card numbers and other sensitive pieces of data exposed for anyone to find on an online database, according to a report from TechCrunch. A cybersecurity expert named Mossab Hussain, from a Dubai-based firm named SpiderSilk, discovered the unprotected server and shared sample data sets with TechCrunch to confirm that MoviePass was in fact leaving the data unencrypted and accessible to anyone.

According to TechCrunch, the data includes both MoviePass debit card numbers and the actual personal credit card details of customers, including credit card numbers, expiration dates, billing addresses, and names. TechCrunch says the data was enough in some cases to make fraudulent credit card purchases using other people’s cards. The report also states how Hussain found email addresses and failed login data logged on the unprotected server, and TechCrunch tested this by making a failed login attempt using a dummy account. The database showed the information, unencrypted, “almost immediately.”

It’s not clear any of this information was ever collected or disseminated by a malicious third party. However, Hussain’s findings about the state of MoviePass’ security are deeply troubling. Given the mountain of controversies MoviePass has faced in the past, it’s easy to see how cybersecurity could fall by the wayside. But the level of blatant disregard here means thousands of MoviePass customers have been put at risk of fraud and identity theft.

MoviePass customers had sensitive credit card and personal information exposed

According to TechCrunch, Hussain reached out to the company about the unsecured server and did not get a reply back. Only when TechCrunch contacted the company earlier today was the database apparently taken down.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussain told TechCrunch in an interview. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the dataset was exposed for public access by anyone.” Hussain says he identified the unprotected database using SpiderSilk’s tools, which are designed to find these types of issues and help SpiderSilk disclose them to companies, sometimes in exchange for bug bounties rewards.

In case you haven’t been following the MoviePass debacle of late, the company’s subscriber base has plummeted by around 90 percent from its high of 3 million in mid 2018, after which company leadership discovered they could not reliably afford full-price movie tickets at the pace and volume customers were requesting them. That led MoviePass and its parent company, a data analytics firm called Helios and Matheson, to come up with seemingly every conceivable way to stay in business, from axing and reintroducing numerous versions of its subscriptions, blacking out certain movies and theaters, and pulling a number of shady tactics around plan cancellation and auto-renewal.

Most recently, MoviePass literally shut down its app, going black in early July. CEO Mitch Lowe said at the time that the company had to completely revamp its service, and it’s pledged not to charge monthly subscribers during the period and to credit customers for the lost time. More than a month later, the company’s website currently reads, “The MoviePass service has been restored to a substantial number of our current subscribers and we are hoping to take steps to restore service to all our current subscribers.” During the downtime, MoviePass has not been accepting new subscribers.

MoviePass does not have a press line it can be reached at. An email sent to its marketing address bounced back, and a request for comment sent to a former public relations spokesperson who has represented MoviePass in the past was not immediately returned. The Verge is currently trying to find out how best to reach out to the company for comment, and we’ll update this article when or if we do hear back.