Popular website leaks personal information belonging to 66,000 players
More than 23 million records were left exposed on a misconfigured server by free gaming platform VIPGames.com.
Researchers from WizCase found the personal data of 66,000 users – equating to 23 million datasets – exposed on an Elasticsearch server, a blog post reads.
“Our cybersecurity team found that confidential data on VIPGames.com was accessible to the public and could be viewed by anyone with the URL of the ElasticSearch server, left open without any password protection or encryption,” researcher Chase Williams wrote.
Compromised information includes usernames, email addresses, device details, IP addresses, hashed passwords, and more.
VIP Games, owned by software development company Casualino JSC, offers free online versions of classic board and card games such as Ludo, Rummy, and Dominoes.
According to WizCase, it attracts more than 20,000 daily active players on its desktop site, while its mobile app has more than 100,000 downloads from the Google Play Store alone.
Researchers found more than 30GB of sensitive data records, some of which included details on in-game transactions.
WizCase warned that the implications of the breach could be costly for victims if the exposed data is viewed by nefarious actors.
“If such data had fallen into the hands of cybercriminals, it could have been exploited for identity theft, fraud, phishing, scamming, espionage and malware infestation,” wrote the researchers in a blog post.
The Daily Swig has reached out to VIP Games.com for comment.