Redbox customers’ credit card numbers, private information stored in kiosks easily hacked

Redbox customers have been warned.

Old Redbox kiosks have been hacked to reveal customers’ credit card numbers and more of their private information, including their names, addresses and emails.

California-based programmer Foone Turing claimed in a social media thread last week that she was able to hack an old Redbox machine in Morganton, North Carolina.

It said it was able to find out customers’ name, ZIP code and usage history. They had rented The Giver and The Maze Runner nine years before the hack.

According to Foone Turing, the hard drives in the Redbox machine had the first 6 digits and last 4 digits of the credit card used, as well as “other lower-level transaction details.”

Foone Turing told Ars Technica that it wasn’t a difficult task to find the customer data on the machine belonging to the beloved movie rental kiosk.

“The device has many logs, and customer data was spread across several of them—usually fragmentary, but it’s not too difficult to cross-reference them with other logs. It’s not very easy to access the data directly,” she said.

“Most of it is kept in an old database format that isn’t easy to manipulate, but anyone with basic hacking skills can easily pull the data manually from the files with a hex editor,” added the programmer.

Foone Turing explained that the “root issue” of the Redbox hacking situation “is that this is a machine that has to start itself, with no chance of a human putting in a decryption password or anything. That means the machine has to be able to decipher itself.”

Redbox’s parent company, Chicken Soup for the Soul Entertainment (CSSE), filed for bankruptcy in July.

The Wall Street Journal reported at the time that 24,000 Redbox rental kiosks were closing as the company moved to liquidate its assets.

Judge Thomas Horan of the U.S. Bankruptcy Court for the District of Delaware, who is overseeing the case, granted the company’s request to pursue liquidation proceedings, saying, “there is no means of continuing to pay employees, pay any bill”.

Redbox’s liquidation reportedly leaves all 1,033 of its employees unemployed, and the workers will not receive any severance pay or extended benefits.

In its Chapter 11 reorganization filings on June 28, CSSE listed $970 million in total debt and consolidated assets of $414 million as of March 31, 2024, Variety reported.

The company still owes money to Walmart and Walgreens — stores where some of its kiosks were located — and media companies, including Warner Bros. Home Entertainment and Sony Pictures Television.

Redbox was founded in 2002 and was a rival video store to Blockbuster, which has only one franchise store in the United States.