23M Gamer Records Exposed in VIPGames Leak

[mood]

23M Gamer Records Exposed in VIPGames Leak

 

 

The personal data of 66,000 users was left wide open on a misconfigured Elasticsearch server, joining a growing list of companies with leaky clouds.

 

VIPGames.com, a free platform with a total of 56 available classic board and card games like Hearts, Crazy Eights, Euchre, Dominoes, Backgammon and others, has exposed the personal data of tens of thousands of users.

 

In all, more than 23 million records for more than 66,000 users were left exposed thanks to a cloud misconfiguration, according to a new report from WizCase. Aside from its desktop users, VIPGames has mobile players too, including via an app that’s been downloaded from the Google Play store more than 100,000 times alone.

 

The site joins a growing list of companies caught without properly configurated clouds which can lead to disastrous results for customers.

 

The WizCase research team, led by Ata Hackl, regularly scans the internet for open servers and found the sensitive personal information exposed and available to any cybercriminal who happened to stumble across it.

 

Online gaming represents a particularly desirable set of personal details for cybercriminals, the report explained.

Leaky Gamer Clouds Particularly Dangerous

“Online gaming brings together user personal information, transaction details and gaming habits. This fusion of confidential information creates a lucrative environment for cybercriminals to exploit,” the WizCase report explained. “Gaming platforms routinely experience multiple attacks from hackers, sabotage from competing platforms, intra-platform attacks by players targeting the Internet connections of rival users, and more.”

 

In this case, the site’s unprotected server leaked more than 30GB of data containing 23 million individual records, including usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and even data on players who were banned from the platform, WizCase said.

“Each of these data sets is not just valuable on its own but can also be used to map out other information,” the report explained. “For example, from the player IDs, it’s possible for an attacker to locate the player’s email address, IP address and hashed password, which is particularly relevant for the banned players.”

 

The report added that the VIPGames.com Terms of Use explains players can be blocked from the platform for bad behavior or cheating, and that the exposed records included the dirty details of each infraction.

“Some of these included potential pedophilia and exhibitionism,” WizCase said, adding potential blackmail to the list of threats the exposed data posed to users, in addition to identity theft, password breaches, phishing scams, malware and more.

 

Threatpost reached out to VIPGames.com for comment but hasn’t received a response.

 

And while this breach is alarming, it is part of a wider trend of companies failing to lock down their data in the cloud.

Misconfigured Clouds Are Everywhere

Last September high-end gaming gear company Razer left the personal data of about 100,000 users exposed on a similar Elasticsearch cloud cluster.

 

That same month, a group of 70 different adult dating sites was also discovered to be storing sensitive personal data — like sexual preferences — on an unsecured Elasticsearch server, leaking more than 320 million individual records.

 

In April, the Key Ring digital wallet app exposed 44 million customer records including IDs, charge cards, loyalty cards, gift cards and membership cards left open on an Amazon Web Services S3 server. And last summer, Joomla exposed the data of 2,700 people signed up for the Joomla Resources Directory community forum in an unsecured Amazon Web Services cloud storage bucket.

 

Palo Alto Networks’ Unit 42 estimates about 60 percent of breaches occur because of misconfigured public clouds.

 

Ryan Olson, vice president of threat intelligence with the Unit 42 team, explained that while 86 percent of companies deploy cloud apps, only 34 percent have “single sign-on (SSO) solutions in place, demonstrating a massive gap in cloud adoption and necessary cloud-security solutions.”

 

As for users, experts agree basic best practices for online security are always a good idea — be careful about what you share, avoid clicking on suspicious emails or links and proper password hygiene are important, WizCase advised. The firm also suggested using a VPN service to keep location data secure and install good antivirus software while the industry struggles to keep up.

“The use of the cloud enables organizations to reach their goals and scale with ease,” Anurag Kahol, CTO at Bitglass, said via email. “As more organizations adopt cloud-based tools to obtain a competitive advantage, the rate of cloud-application usage increases in tandem. However, most organizations are not equipped to handle the security demands of the cloud.”

 

 

Source: 23M Gamer Records Exposed in VIPGames Leak

[mood]

Online gaming platform VIP Games exposes 23 million data records on misconfigured server

Popular website leaks personal information belonging to 66,000 players

 

 

More than 23 million records were left exposed on a misconfigured server by free gaming platform VIPGames.com.

 

Researchers from WizCase found the personal data of 66,000 users – equating to 23 million datasets – exposed on an Elasticsearch server, a blog post reads.

“Our cybersecurity team found that confidential data on VIPGames.com was accessible to the public and could be viewed by anyone with the URL of the ElasticSearch server, left open without any password protection or encryption,” researcher Chase Williams wrote.

 

Compromised information includes usernames, email addresses, device details, IP addresses, hashed passwords, and more.

Game over

VIP Games, owned by software development company Casualino JSC, offers free online versions of classic board and card games such as Ludo, Rummy, and Dominoes.

 

According to WizCase, it attracts more than 20,000 daily active players on its desktop site, while its mobile app has more than 100,000 downloads from the Google Play Store alone.

 

Researchers found more than 30GB of sensitive data records, some of which included details on in-game transactions.

 

WizCase warned that the implications of the breach could be costly for victims if the exposed data is viewed by nefarious actors.

“If such data had fallen into the hands of cybercriminals, it could have been exploited for identity theft, fraud, phishing, scamming, espionage and malware infestation,” wrote the researchers in a blog post.

 

The Daily Swig has reached out to VIP Games.com for comment.

 

 

Source: Online gaming platform VIP Games exposes 23 million data records on misconfigured server