A security flaw in Ster-Kinekor’s old website exposed 1.6 million unique email addresses to the public Internet, according to HaveIBeenPwned.com.
It is important to note that HaveIBeenPwned doesn’t have the private details of everyone in Ster-Kinekor’s database.
Troy Hunt, the founder of HaveIBeenPwned.com, told MyBroadband he was sent a list of email addresses to send out alerts to. They have not seen a public leak of Ster-Kinekor’s database.
HaveIBeenPwned’s alert comes after software developer Matt Cavanagh, who goes by RogueCode, disclosed the vulnerability.
Cavanagh discovered the vulnerability in 2016 and told Ster-Kinekor about the issue. He was informed by Ster-Kinekor that the cinema chain was switching to a different back-end system that would fix the problem.
Ster-Kinekor switched to a new point-of-sale system called Vista, from its Prezence system.
The change has been completed, which means Ster-Kinekor’s site is no longer vulnerable.
In his disclosure, Cavanagh said the IDs in the database went up to about 6.7 million. However, there were deleted accounts included in that number.
Among the accounts that remained, there were 1.6 million unique email addresses.
Other data vulnerable in Ster-Kinekor’s old system included names, addresses, phone numbers, and plain text passwords.
Hunt and Cavanagh warned that although no one can know for sure at this stage whether the data from Ster-Kinekor’s site was in malicious hands, those affected should assume it is.
“Given the nature of the underlying flaw, it would be very difficult to say whether other parties had exploited [it] and extracted other information,” said Hunt.
“Particularly given the API was being invoked as designed, I’d be surprised if Ster-Kinekor was able to emphatically say that nobody else has the data.”
Cavanagh advised people affected by the vulnerability to change their passwords if they were used on other sites.
“If you’ve used your [Ster-Kinekor] password anywhere else, go change it to something unique right now.”