More than 65,000 users had their personal data exposed after an online gaming site misconfigured the Elasticsearch server they were sitting on. The affected gaming website called VIPGames.com is a free gaming platform that offers an assortment of games such as Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo, and Yatzy.
Its Bulgarian developer, Casualino JSC, runs multiple similar gaming platforms including VIPSpades.com, VIPBelote.fr, Belot.bg, VIPJalsat.com and VIPBaloot.com.
A particular research team discovered the wide-open server that contained no password protection, zero encryption, and an overall lack of protection against severe cyber threats. It traced back to the aforementioned website that has roughly 15,000 daily active users and around 100000 Google play downloads.
It is believed that more than 30GB of data was exposed in the privacy snafu, containing 23 Million records. User profiles including usernames, emails, IP addresses, system information, hashed passwords, in-game transactions, data regarding banned users were just the tip of the iceberg that had been uncovered by researchers.
Online gaming represents a particularly desirable set of personal details for cybercriminals, and while the Bcrypt algorithm was used to hash the passwords, it is not an impossible task to crack through them. A determined threat actor can use these to gain unauthorized access to other related websites and accounts of the same users and exploit these cyber vulnerabilities.
The firm warned that if a threat actor had found the exposed data, they could have crafted convincing phishing attacks by email or phone, using the extensive personal information in these profiles. There was even an opportunity for blackmail of certain banned users of the site, it claimed.
The breached data can lead to planned phishing attacks by phone or email, making use of the ample information in these profiles. Researchers are warning users of the severity of the situation and explain that these breaches can also lead to blackmail opportunities to the banned gamers. “A threat actor could access a banned user’s email address and use the reason given for the ban for extortion,” state reports.
“If a user was banned for exhibitionism, someone who knows their email address or social media accounts could threaten to expose them. Also, given bans are ultimately at the moderators’ discretion, a banned player’s personal reputation may be ruined if the accusation was without merit.”
Users of VIPGames are reported to not reuse old passwords, employ a password manager, and not engage in unsolicited emails and phone calls.