It’s only been three months since the implosion of Redbox, but the company’s familiar red kiosks could become a security nightmare as they’re to the highest bidders.
reports at least one owner of a defunct DVD and Blu-ray dispenser found a way to obtain customers’ private information from an encrypted file on the machine, which contained more than just one person’s penchant for the Trolls franchise. The database also contained sensitive data like personal emails and home addresses.
On Mastodon, programmer Foone Turing, a self-described collector of weird things, said she cracked the encrypted files from a Redbox machine and matched the information she found to a real person.
The file she obtained came from a Redbox machine that had operated in Morganton, North Carolina. The information she pulled from the file showed a customer’s name, ZIP code and usage history. If you’re curious, they rented a copy of The Giver and The Maze Runner. I’ll bet that person is thankful they decided not to take out a copy of Disney’s Lone Ranger reboot.
Turing told Lowpass she was even able to obtain part of some customers’ credit card information. Even though there wasn’t an entire log, she noticed it still had “the first six and the last 4 [digits] of each credit card used, plus some lower-level transaction details.”
It also didn’t take a lot of hacking know-how to crack the machines. The code Redbox used to program the machines is “the kind of code you get when hire 20 new grads who technically know C# but none of them has [sic] written any software before,” Turing wrote on Mastodon.
Now here’s the kicker. It’s clear that Redbox’s parent company, Chicken Soup for the Soul, didn’t do a great job of wiping the machines before selling them off like old shoes at a garage sale. There are over 24,000 kiosks and some people are even buying them from the store and taking the things home. Suddenly, paying a couple of extra bucks for Netflix doesn’t sound as bad right now.
We’ve reached out to Chicken Soup for the Soul for comment.
