Over 6 million records from the streaming service MovieBoxPro were compromised due to a vulnerable API, exposing user data as a result. The breach, which occurred on April 15, 2024, came to light through the online platform Have I Been Pwned (HIBP).
MovieBoxPro is a streaming service known for its expansive library of movies and TV shows. Despite its popularity among users seeking convenient access to media content, the platform operates in a legal grey area, often without providing clear contact information or straightforward disclosures about its operational security measures.
According to the platform's creator, Troy Hunt, attackers exploited a vulnerable API on MovieBoxPro's service to scrape data, which was then mass enumerated—a technique used by cybercriminals to validate and compile useful data for further attacks or fraud.
The breach was discovered by security researchers who noticed unusual activity involving MovieBoxPro's APIs. Following the detection, details were forwarded to HIBP, which then verified and listed the breach on April 30, 2024.
The API vulnerability was reportedly patched shortly after discovery, though details about the remediation process remain sparse due to the service's opaque communication channels. Also, the exposure of user data, such as email addresses and usernames, could potentially be used to identify and prosecute individuals for copyright infringements.
The compromised data included email addresses and usernames. This places exposed users at risk of phishing attacks, credential stuffing, password brute-forcing, and various other dire scenarios.
The public response, particularly on social media platforms like Twitter and dedicated forums such as Reddit, has been one of concern and frustration. Users of MovieBoxPro expressed dismay not only at the breach itself but also at the lack of direct communication from the service.
No official response from MovieBoxPro has been forthcoming, leaving affected users to rely on third-party sites for updates and advice.
For users affected by the MovieBoxPro data breach, it would be advisable to change passwords in accounts using the same email and pick something strong and unique. In the future, try to limit your content consumption activities to trustworthy and legitimate media streaming platforms.
FCC Fines Major US Carriers $200 Million for Illicit Sharing of Location Data
Leave a Reply