The process of using the Stoic journaling app is simple: You open the app in the morning and the evening, when you’ll be prompted to answer a couple of questions and perform a few simple exercises.

For example, this evening the app asked me to rate my current level of fulfillment and to identify what made me smile today, while also pointing me to guided exercises like journaling and breathing.

Stoic is part of the current batch of startups at Y Combinator (it’s taking the stage today at Demo Day). Founder Maciej Lobodzinski told me that his goal is to help users understand the different factors influencing their mental and emotional state.

“The core of the app is: We have this insight and we see what influences your mood and what you feel,” Lobodzinski said. He suggested that this is very different from the “super transactional” idea embedded in my other mental health and wellness apps, where “you pay for my app and you feel better.” In his view, “You should feel how you feel. It’s okay, how you feel, but you should know why you are feeling this way.”

So once there are a couple of weeks of data in the app, you should be able to look back and see how you were feeling on a certain day, and if there were activities that made you feel more or less fulfilled. Over time, Lobodzinski hopes to add more insights about “what influenced you, why you feel this way, why you are productive.”

As the name implies, Stoic is inspired by Lobodzinski’s interest in classical Stoic philosophy (he’s not the first to suggest that the approach has direct applications in the tech industry), and the app even includes quotes from Stoic philosophers.

“It’s an extremely practical framework,” he said. “When I talk to users, there are entrepreneurs, investors, traders — people who found out about the app because they were looking for how to deal with their stress …
If you are stressed with your everyday life and you can get the advice of the emperor of Rome, who dealt with much more serious things, it’s amazing how much better you can feel after that.”

At the same time, users have the option to receive quotes from different schools of thought — not just Stoicism but also Buddhism, Taoism and Catholicism. For some users, their app experience won’t be explicitly focused on Stoicism, but Lobodzinski said that even then, it forms the “spine” of the app’s approach.

The basic app is free, but Stoic charges $27.99 per year for a premium version that includes iCloud syncing and additional content.

Source: Tech Crunch Startups | YC-backed Stoic is a journaling app with a focus on understanding your feelings

Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company’s many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers.

These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.

We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated.

The database had more than 58,000 records containing card data — and was growing by the minute.

We also found records containing customers’ personal credit card numbers and their expiry date — which included billing information, including names and postal addresses. Among the records we reviewed, we found records with enough information to make fraudulent card purchases.

Some records, however, contained card numbers that had been masked except for the last four digits.

The database also contained email address and some password data related to failed login attempts. We found hundreds of records containing users’ email addresses and presumably incorrectly typed passwords — which was logged — in the database. We verified this by attempting to log into the app with an email address and password that didn’t exist but only we knew. Our dummy email address and password appeared in the database almost immediately.

None of the records in the database were encrypted.

Hussain contacted MoviePass chief executive Mitch Lowe by email — which TechCrunch has seen — over the weekend but did not hear back. It was only after TechCrunch reached out Tuesday when MoviePass took the database offline.

It’s understood that the database may have been exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.

We asked MoviePass several questions — including why the initial email disclosing the security lapse was ignored, for how long the server was exposed and its plans to disclose the incident to customers and state regulators. When reached, a spokesperson did not comment by our deadline.

MoviePass has been on a roller coaster since it hit mainstream audiences last year. The company quickly grew its customer base from 1.5 million to 2 million customers in less than a month. But MoviePass took a tumble after critics said it grew too fast, forcing the company to cease operating briefly after the company ran out of money. The company later said it was profitable, but then suspended service, supposedly to work on its mobile app. It now says it has “restored [service] to a substantial number of our current subscribers.”

Leaked internal data from April said its customer numbers went from three million subscribers to about 225,000. And just this month MoviePass reportedly changed user passwords to hobble access for customers who use the service extensively.

Hussein said the company was negligent in leaving data unencrypted in an exposed, accessible database.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussein told TechCrunch. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the data set was exposed for public access by anyone,” he said.

The security researcher said he found the exposed database using his company-built web mapping tools, which peeks into non-password protected databases that are connected to the internet, and identifies the owner. The information is privately disclosed to companies, often in exchange for a bug bounty.

Hussein has a history of finding exposed databases. In recent months he found one of Samsung’s development labs exposed on the internet. He also found an exposed backend database belonging to Blind, an anonymity-driven workplace social network, exposing private user data.

Read more:

• StockX was hacked, exposing millions of customers’ data
• Slack resets user passwords after 2015 data breach
• Capital One breach also hit other major companies, say researchers
• An exposed password let a hacker access internal Comodo files
• Security lapse exposed weak points on Honda’s internal network
• Cryptocurrency loan site YouHodler exposed credit cards and transactions

Source: Tech Crunch Startups | MoviePass exposed thousands of unencrypted customer card numbers