Old Redbox Kiosks Hacked To Reveal Customers’ Names, Emails, Card Details

DVD rental service Redbox might be confined to history, but the data privacy problems it has left for consumers might be sticking around for a while.

Redbox allowed consumers to rent DVDs from its 24,000 automatic kiosks all across the US. Its parent company Chicken Soup went bankrupt in July 2024 after the rise of streaming services like Netflix and Amazon Video decimated the DVD rental industry. 

Ars Technica reports that one programmer managed to reverse-engineer the hard drive of an old Redbox Kiosk and was able to dig out customers’ names, emails, and rental histories from almost a decade ago.

In some cases, the California-based programmer Foone Turing was able to find parts of consumers’ credit card history stored on the hard drives, including the first 6 and last 4 digits of the credit card used and some transaction history.

She claimed in a social media post that she was even able to track down one film fan based in Morganton, North Carolina, who allegedly rented The Giver and The Maze Runner in 2015.

However, Ars Technica wasn’t able to verify the last claim. 

The Turing wasn’t impressed by the level of security she found on the old Kiosks.

She told Ars Technica that “anyone with basic hacking skills could easily pull data manually out of the files with a hex editor.”

“This is the kind of code you get when you hire 20 new grads who technically know C# but none of them has written any software before,” she added. 

The programmer claims she didn’t even need to access a physical RedBox kiosk to dig out the old data, and instead simply used an uploaded hard drive she found on the social network Discord. 

The news comes as old Redbox kiosks are becoming collector items in some circles, and many enthusiasts are collecting kiosks as film history souvenirs.

The Wall Street Journal reports that one 19-year-old North Carolina resident acquired one after striking up a conversation with a contractor who was hired to dispose of one of them.

Unfortunately, the options for legal recourse from any victims impacted may be slim.

Mario Trujillo, a staff lawyer for the Electronic Frontier Foundation, told Ars Technica that “it may be hard to hold a bankrupt company accountable.”

One bright side to the story, tech publication Lowpass points out, is that the Redbox kiosks may have only stored this identifying personal data locally if there was a disrupted internet connection or power cut that stopped it from being uploaded to the cloud. 

About Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read Will’s full bio

Read the latest from Will McCurdy