An unsecured Elasticsearch database has been leaking data on millions of global gambling app users, according to researchers at vpnMentor.
The group discovered the unsecured database hosted on AWS as part of a broader web mapping project. It was quickly traced back to casino app Clubillion, which was contacted on March 23. The database was finally secured on April 5, five days after AWS was also contacted.
Unlike many similar discoveries, this online database was updated with huge amounts of users’ personal information every single day: in the region of 200 million new records, or 50GB, daily, and sometimes considerably more, according to vpnMentor.
These records included every action taken by every player on the app (“win,” “lose,” “update account,” etc.) and personally identifiable information (PII) including emails, private messages, winnings and IP addresses.
The research team warned that gambling apps are a popular target for cyber-criminals, who go looking for PII and to target software vulnerabilities in order to install malware on users’ devices.
Sophisticated phishing campaigns could leverage specific leaked activity data showing transaction errors from card payments on the app. By following up with individual emails targeted at these users, cyber-criminals stand a stronger chance of eliciting more personal and financial information or tricking the user into installing covert malware, vpnMentor claimed.
“On a single day, tens of thousands of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyber-attacks – along with millions more whose records were also contained in the database,” it claimed.
“The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.”
The firm could now also face extra scrutiny from GDPR regulators and from Google Play and the App Store, vpnMentor warned.