Misconfigured Cloud Server Exposes 66,000 Gamers

Tens of thousands of users have had their personal details exposed after a popular online gaming site misconfigured the Elasticsearch server they were sitting on.

A research team at WizCase found the wide-open server, with zero encryption and no password protection, through a simple search. It was traced back to VIPGames.com, a popular free-to-play card and board game platform with 100,000 Google Play downloads and roughly 20,000 active daily players globally.

The site features games such as Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo and Yatzy. Its Bulgarian developer, Casualino JSC, runs multiple similar gaming platforms including VIPSpades.com, VIPBelote.fr, Belot.bg, VIPJalsat.com and VIPBaloot.com.

Over 30GB of data was leaked in the privacy snafu, including 23 million records. In this trove, the researchers picked out 66,000 user profiles including: usernames, emails, device details, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, in-game transaction details, bets and details regarding banned players.

The passwords were hashed using the Bcrypt algorithm using 10 rounds which, while time-consuming, is not impossible for a determined attacker to crack, WizCase argued. These could then be used to try and open other sites and accounts used by the same gamers.

The firm warned that if a threat actor had found the exposed data, they could have crafted convincing phishing attacks by email or phone, using the extensive personal information in these profiles.

There was even an opportunity for blackmail of certain banned users of the site, it claimed.

“A hacker could obtain a banned user’s email address and social media IDs then use the reason given for the ban for extortion or revenge. For instance, a player who was banned for possible pedophile b ..

Support the originator by clicking the read the rest link below.