2 minutes read

AMC inadvertently exposed its subscribers database for Sundance Now and Shudder services

Bob Diachenko

Bob Diachenko

AMC inadvertently exposed its subscribers database for Sundance Now and Shudder services

On May 1st I have discovered an unprotected and publicly available MongoDB instance which appeared to contain data related to AMC Networks’ premium streaming offerings – Sundance NOW and Shudder. Although no sensitive information was exposed, still the following details were available for anybody on the Internet:

  • 1,615,360 records with subscribers information (names and emails, subscription plan details etc.) related to Sundance NOW and Shudder, both AMC Networks’ premium streaming services

  • 3,351 links to Stripe invoices, with names, emails and last 4 digits of credit card
  • Youbora (video analytics and business intelligence for broadcasters), (441,943 records), collected on users, such as users’ IP, country, city, state, zip, coordinates plus details on streaming devices, metadata etc.
  • Links to internal catalogue data and other metadata info.

I would imagine that a company of such size should have a proper incident response protocol in place, however, it was almost impossible to employ a responsible disclosure procedure here, since all the emails and contacts related to privacy and security were bouncing back. Emails sent to a number of security officers were left without answer.

After 24 hours of unsuccessful attempts, I have asked Zack Whittaker of TechCrunch to assist in getting in touch with AMC representatives via verified media channels and almost immediately after his message database was taken down. Company provided us with the following statement:

“We became aware of an issue regarding access to an internal development database, which was primarily used for catalogue data along with certain other non-sensitive subscriber information, and we immediately took action to close off this access. We are taking steps to make sure this doesn’t happen again.”

Still, I would argue the non-sensitivity of the exposed data, as the emails and names combined with other details might be a starting point for a variety of phishing attacks, similar to the one we have reported back in April (read more here).