Clubillion Leaks Activities, Personal Data Of Users

Published: 09/07/2020 | Last Updated: 09/10/2020

Reading Time: 3 Min

Image: Shutterstock

Noam Rotem and Ran Locar, researchers at vpnMentor, discovered a massive data leak of technical logs of millions of users of the gaming app Clubillion. The hole took place after a third party accessed a misconfigured Elasticsearch database.

Security is one of the most important and the hardest feature to maintain when going online.

Security companies are working hard to ensure that their clients user’s information is secured. Leaked others could use user information in fraudulent activities like identity theft.

Elastichsearch engine technical database stores daily activity logs of users accessing the gaming app in Android and iOS. The database records around 200 million records every day, taking away nearly 50GB of space.

Elasticsearch engine technical database

The leaked information included activities of the users like logins, winning, losing, updating, and creating an account and personal information, including IP addresses, email addresses, private messages, and winnings.

The researchers revealed that the gaming app has a large number of users across the globe. Its average active daily users in the UK reached 2,475. The average daily active users of the app reached 1,582 in Germany, 2,407 in Italy, and 1,026 in Spain.

It has daily active users in the US reached more than ten thousand, 7,792 in Canada, and 6,251 in Australia. The app has millions of users in other countries, including Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.

Security researchers discovered the exposed information on March 19, and it was secured on April 5 after they’ve reached the developers of the app.

Risks of the leak

Online gaming is growing, and many companies are starting to launch apps on Android and iOS. However, industry regulators have limited control over the transparency of gaming and casino apps. It leaves regulators no way of tracking down the security protocols of the apps. There was no way of knowing how they protect themselves from cybercriminals.

The vpnMentor said that a study on 23,000 free gambling apps concluded that 3,200 have a moderate risk to users. Security vulnerabilities were found in 379 apps, while 52 contains malicious software.

The firm said that malware embedded on a user’s phone could risk access to other apps, stored files.

Cybercriminals can also make calls and send texts and chats if they can access the user’s online information. Hackers can also access the user’s contact list and steal information about their families and friend. The firm added that the risks are much higher because people are in quarantine due to the novel coronavirus.

Michael Barragry, Edgescan’s Operations Lead, and Security Consultant said gaming apps and users are prone to hacking. He added that the apps are prone to spear-phishing and other similar attacks.

The user’s use of IP addresses and email addresses in mobile gaming apps makes them a target to internet crimes.

He mentioned that gambling apps needed to assess the information that they need. He said that they need to keep storing data at the minimal. He added that DB security practices should be followed at all times.