Security News

Movie tickets service leaked 161M records, researchers say

Avast Security News Team, 23 August 2019

Plus, poker site dealt a hand of malware, ransomware hits 22 Texas towns, and Apple mistakenly unpatches a flaw

Cybersecurity researchers discovered an unprotected and unencrypted database containing over 161 million records belonging to movie ticket subscription service MoviePass. TechCrunch reported that many of the records pertained to daily service operations, but others held customer names, account data, and billing information, including credit card numbers. Some of the credit card numbers were masked except for the last four digits, while others were listed in full. MoviePass took the database offline, but experts believe it had been exposed online for months. Avast cybersecurity evangelist Luis Corrons said criminals and researchers both hunt such vulnerabilities, with very different motives. “We only become aware of these incidents when security researchers find them, however they do not just stumble upon these databases. They are always working to find weak spots. Cybercriminals do exactly the same, with the difference being that they won’t notify companies about the data exposure. They will just steal the information.”

This week’s stat

Sixty percent of the top 1,000 websites share information with third parties, many of which create profiles about visitors that they sell to advertisers and data companies, a Princeton University study found. Learn more in Device fingerprinting and the surveillance economy

Hackers deal poker website a hand of malware

The poker analysis website PokerTracker.com and its app have been injected with malware that steals payment information from users, Bleeping Computer reported. The malware is the infamous Magecart script that has been seen with increasing frequency over the past year. It sends the details of payments made through the site or app straight to the attacker’s control center. Researchers say PokerTracker made itself vulnerable to malware by using an outdated content management system that was easily compromised. Once PokerTracker was alerted to the problem, they took action to rectify it immediately.

This week’s quote

"Then I thought of an ‘Internet of Things,’ and I thought, ‘That’ll do – or maybe even better.’ It had a ring to it. It became the title of the presentation.” – Kevin Ashton, on how he named The Internet of Things

Ransomware hits 22 towns in Texas

In a rare coordinated attack, 22 towns across Texas were struck with ransomware at the same time. Dark Reading reported that the Texas Department of Information Resources believes all 22 were the work of a single threat actor. Ransomware attacks against individual towns and cities have been a rising concern this year, with Baltimore, Atlanta, towns in Florida, and other municipalities paralyzed by attacks. After some cities paid the ransom demands, the U.S. Conference of Mayors met and announced a resolution that as a deterrent to attackers, any future ransom demands would not be disbursed. By hitting 22 towns at once, attackers have raised response awareness to the state level, which experts believe will make it more unlikely that the ransoms will be paid. 

This week’s ‘must-read’ on The Avast Blog

The official app of the Spanish football league, La Liga, installed more than 10 million times, used the phone’s microphone and location info to detect if pubs and restaurants were illegally broadcasting La Liga games. Garry Kasparov looks at what the world learned – or failed to learn. 

Over 1M porn site accounts exposed 

A data breach of the porn site Luscious.net has exposed the sensitive information of almost 1.2 million accounts, SC Magazine reported. The uncovered data reveals email addresses, usernames, user activity logs, country of residence, gender, and, in some cases, full names. The data also includes account details such as video uploads, comments, favorites, and other logged activity. While the breach affected customers around the world, the highest concentration of exposed users hail from Russia, France, and Germany. Bad actors could potentially use the breached data for extortion schemes. Once alerted, Luscious resolved the issue, but users of the site are advised to change their login credentials immediately.

Newest iOS update allows iPhone jailbreaks

In its latest iOS software update, version 12.4, Apple accidentally unpatched a previous exploit that had been fixed by version 12.3. Vice reported that the blunder not only makes it possible to jailbreak iPhones now, but also to hack them. A security researcher who specializes in iPhones published the jailbreak code publicly, cautioning that in the wrong hands the vulnerability could be exploited with spyware. When a user jailbreaks their iPhone, they free it from any Apple restrictions, including the download of banned apps, operational customization, and carrier untethering. While this frees the user to tweak their iPhone however they like, it also undermines the device’s security measures, opening the door for hackers. Apple had not publicly commented on the breach as of publication. Nikolaos Chrysaidos, Avast’s head of mobile threat intelligence and security, said that in a case such as this “users should be particularly conscientious about any apps they download from the App Store, especially until Apple releases a new sub-version of iOS to address the vulnerability.”


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.