Casino App Clubillion Leaks PII on “Millions” of Users


An unsecured Elasticsearch database has been leaking data on millions of global gambling app users, according to researchers at vpnMentor.

The group discovered the unsecured database hosted on AWS as part of a broader web mapping project. It was quickly traced back to casino app Clubillion, which was contacted on March 23. The database was finally secured on April 5, five days after AWS was also contacted.

Unlike many similar discoveries, this online database was updated with huge amounts of users’ personal information every single day: in the region of 200 million new records, or 50GB, daily, and sometimes considerably more, according to vpnMentor.

These records included every action taken by every player on the app (“win,” “lose,” “update account,” etc.) and personally identifiable information (PII) including emails, private messages, winnings and IP addresses.

The research team warned that gambling apps are a popular target for cyber-criminals, who go looking for PII and to target software vulnerabilities in order to install malware on users’ devices.

Sophisticated phishing campaigns could leverage specific leaked activity data showing transaction errors from card payments on the app. By following up with individual emails targeted at these users, cyber-criminals stand a stronger chance of eliciting more personal and financial information or tricking the user into installing covert malware, vpnMentor claimed.

“On a single day, tens of thousands of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyber-attacks – along with millions more whose records were also contained in the database,” it claimed.

“The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.”

The firm could now also face extra scrutiny from GDPR regulators and from Google Play and the App Store, vpnMentor warned.



Source link

Recent articles

Ohio Governor Says His Flawed Virus Test Shouldn’t Undercut New, Rapid Methods

Gov. Mike DeWine of Ohio, who last week tested positive for the coronavirus, then negative and then negative again, said on CNN on...

Egypt extends detention of Al Jazeera journalist Mahmoud Hussein | News

Egyptian authorities have extended the detention of Al Jazeera journalist Mahmoud Hussein by another 45 days. The extension on Sunday came more than 1,300...

Created with Blender 2.8: ‘Take on me’ cover: Arrangement for Flute orchestras

PiDi writes: 'Take on me' cover: Arrangement for Flute orchestras (Cover) Similar to the original video, it looks like a comic book. All image effects were...

Looks Like AT&T Cancelled Plans for WB Interactive Sale

Following months of reports about its sale, Warner Bros. Interactive Entertainment seems to be resting safely with AT&T for now, if comments by...

Leave a reply

Please enter your comment!
Please enter your name here