VpnMentor researchers have discovered a massive data leak on one of the popular casino gambling apps, Clubillion. This data leak was discovered to have affected its technical database, exposing daily activities and personal information of its millions of users. With various user information made publicly available, many users are now vulnerable to fraudulent and malicious attacks.
The database information was built on a misconfigured Elasticsearch search engine and was hosted on an Amazon Web Services server (AWS). The database recorded 200 million, around 50 gigabytes of data, user interactions and information every day, which includes device information and activity logs of Android and iOS users all over the world. The researcher’s report detailed that every time an individual player does any actions such as, entering a game, creating an account, updating any information on the account, and even the changes in the current game status on the app, a record is logged and sent to the database.
Various forms of personally identifiable information were leaked and these include the players’ IP address, email addresses, private messages, and winnings. The leak has impacted users from all around the world, with some countries having higher user activity compared to others like for example, the US has over 10,000 average daily users, Canada has over 7,700, Australia has over 6,200, Brazil has over 3.800, while the UK has over 2,400.
The timeline of this breach is as follows. The researchers and analysts at vpnMentor discovered the breach on March 19, 2020. The vendors were then contacted by the team on March 23, 2020. As with any data breach or problems regarding their web services, the vendors disregarded the research and downplayed its impact. While waiting for the vendor’s reply, they also contacted AWS on March 31, 2020, and the closing of AWS services took place on April 5, 2020. But oddly enough, to this day, the app is still available on both the Android and iOs app stores.
This data breach’s impact is immense as users are greatly prone to malicious attackers. The researchers emphasised that since this is a free gambling app, it is a common target for cyber criminals. They commonly go after the user’s private information and even go as far as embedding malicious software with the purpose of accessing the user’s device. The researchers further explained that if these attackers used Clubillion to embed a trojan or similar malware onto a user’s phone, they will be able to hack other apps and even fully control the user’s phone. They may also target the user with phishing scams that will grant them access to banking and credit card information, files, and other data on the user’s phone.
The situation is made worse by the current pandemic as people find themselves in quarantine or lockdown, increasing the significance of the leak’s impact because of the increased use of mobile devices. The app may soon find itself in deep waters if its developers continue to downplay the situation as it might risk losing millions of players as Google and Apple are locking down apps that pose a risk to its users, removing such apps from their app stores.
