A massive data leak discovered on the technical database of popular casino gambling app Cubillion exposed daily activities and personal identifiable information of millions of users, according to vpnMentor researchers.
Housed on a misconfigured Elasticsearch engine, the unprotected database recorded up to 200 million records per day (50GB), including details of technical activity of Android and iOS users around the globe.
According to the investigators’ report, “every time an individual player took any action on the app, a record was logged.” These actions include:
• Entering a game
• Game status (win or lose)
• Creating or updating an account
Various forms of personal identifiable information (PII) were also up for grabs, including IP and email addresses, winnings and private messages.
The data leak impacted users from nearly every continent, and some countries revealed higher user activity. For example, average daily users exceeded 10,000 for the U.S., 7,700 for Canada, 6,200 for Australia, and 3,800 for Brazil.
The breach was discovered on March 19, and public access was closed off on April 5, after researchers contacted Amazon Web Services.
Researchers emphasized that “free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals” that go after the private information of users or embed malicious software to access userss devices.
“If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device,” researchers said. “Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.”
With the leaked information, an attacker could target users with phishing campaigns that could lead to further data and financial exposure.
The developers also risk losing millions of players, and since many Clubillion users reside with the EU, Europe’s privacy watchdog could issue a hefty fine for app publishers.
Researchers also speculate a grim outcome for the app. “Clubillion could potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.”