A Chinese game developer has unwittingly exposed the personal and device details of over a million players after leaving an internet-facing server unsecured, according to researchers.
A team at vpnMentor led by Noam Rotem and Ran Locar, discovered the unprotected Elasticsearch server on July 5. After no reply from its owner, EskyFun Entertainment Network Limited, they contacted the Hong Kong CERT, and the next day, July 28, the database was secured.
The 134GB trove contained an estimated 365 million records linked to players of the firm’s fantasy games: Rainbow Story: Fantasy MMORPG; Metamorph M; and Dynasty Heroes: Legends of Samkok.
This giant collection of user records is even more noteworthy given the firm collected only a rolling log of the previous seven days’ records, with anything older deleted to make way for fresh data.
“The reason for the sheer size of the data exposed appears to be EskyFun’s aggressive and deeply troubling tracking, analytics, and permissions settings,” vpnMentor claimed. “EskyFun gains access and control to almost every aspect of a person’s device and even their private networks. Most of [the data] is totally unnecessary for the games to function.”
Among the data leaked via the unsecured server were IP address, device model, phone number, geolocation and buyer account ID. The researchers also found over 217 million email addresses and plaintext EskyFun passwords.
The vpnMentor team estimated the number of users affected at over one million due to the number of Android downloads the three affected games have: around 1.5 million.
“Combining a user’s email address, gaming history, and support requests, hackers could send thousands of phishing emails posing as EskyFun’s support,” the researchers wrote.
“The database also contained plenty of data to build a profile of users and identify two vulnerable groups: high-paying accounts and children. By focusing on these users, hackers could reap huge financial rewards from a small group of victims.”
Cyber-criminals could also have used the plaintext passwords to hijack user’s EskyFun gaming accounts or to support credential stuffing campaigns designed to unlock other accounts across the web that the same credentials may protect.