AMC Networks exposed 1.62 million total records — including data of subscribers’ names, emails, and subscription details — on the open internet connected to its Sundance Now and Shudder subscription streaming services.
Bob Diachenko, cyber threat intelligence director and journalist at Security Discovery, alerted AMC Networks on Wednesday. He wrote:
On May 1st I have discovered an unprotected and publicly available MongoDB instance which appeared to contain data related to AMC Networks’ premium streaming offerings – Sundance NOW and Shudder. Although no sensitive information was exposed, still the following details were available for anybody on the Internet:
1,615,360 records with subscribers information (names and emails, subscription plan details etc.) related to Sundance NOW and Shudder, both AMC Networks’ premium streaming services
3,351 links to Stripe invoices, with names, emails and last 4 digits of credit card
Youbora (video analytics and business intelligence for broadcasters), (441,943 records), collected on users, such as users’ IP, country, city, state, zip, coordinates plus details on streaming devices, metadata etc.
Links to internal catalogue data and other metadata info.
Diachenko noted the lack of a “proper incident response protocol” at AMC Networks, sharing screenshots of automatically bounced back emails he sent to the company’s security officers.
Public access to the database was eventually shut down after Diachenko reached AMC Networks through a contact at TechCrunch.
Despite the non-sensitivity of the exposed data, Diachenko warned of vulnerabilities to phishing attacks given the exposure of names, emails, and subscriber data.
Follow Robert Kraychik on Twitter @rkraychik.