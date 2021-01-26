Infosecurity Group Websites
Latest
News

Misconfigured Cloud Server Exposes 66,000 Gamers

Tens of thousands of users have had their personal details exposed after a popular online gaming site misconfigured the Elasticsearch server they were sitting on.

A research team at WizCase found the wide-open server, with zero encryption and no password protection, through a simple search. It was traced back to VIPGames.com, a popular free-to-play card and board game platform with 100,000 Google Play downloads and roughly 20,000 active daily players globally.

The site features games such as Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo and Yatzy. Its Bulgarian developer, Casualino JSC, runs multiple similar gaming platforms including VIPSpades.com, VIPBelote.fr, Belot.bg, VIPJalsat.com and VIPBaloot.com.

Over 30GB of data was leaked in the privacy snafu, including 23 million records. In this trove, the researchers picked out 66,000 user profiles including: usernames, emails, device details, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, in-game transaction details, bets and details regarding banned players.

The passwords were hashed using the Bcrypt algorithm using 10 rounds which, while time-consuming, is not impossible for a determined attacker to crack, WizCase argued. These could then be used to try and open other sites and accounts used by the same gamers.

The firm warned that if a threat actor had found the exposed data, they could have crafted convincing phishing attacks by email or phone, using the extensive personal information in these profiles.

There was even an opportunity for blackmail of certain banned users of the site, it claimed.

“A hacker could obtain a banned user’s email address and social media IDs then use the reason given for the ban for extortion or revenge. For instance, a player who was banned for possible pedophile behavior could be tricked into a physical meeting with vigilantes,” WizCase continued.

“If a user was banned for exhibitionism, someone who knows their email address or social media accounts could threaten to expose them. Also, given bans are ultimately at the moderators’ discretion, a banned player’s personal reputation may be ruined if the accusation was without merit.”

Users were advised not to reuse passwords and to use a password manager, to be cautious of unsolicited phone calls and not reply to unsolicited emails.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Deloitte Acquires Root9B

2
News

Trump Sex Scandal Video Is a RAT

3
News

Russian Government Agency Warns Firms of US Attack

4
News

SonicWall Probes Attack Using Zero-Days in Own Products

5
News

Intel: Earnings Leak Down to Internal Error

6
News Feature

The End of Adobe Flash: What Will Post-Support Life Look Like?

1
News

Cook County Leaks 320,000 Court Records

2
News

Misconfigured Cloud Server Exposes 66,000 Gamers

3
News

Mr. Double Website Operator Convicted

4
News

San Francisco Law Firm Investigating PupBox Data Breach

5
News

Deloitte Acquires Root9B

6
Opinion

#HowTo: Avoid Being Breached

1
Webinar

Fulfilling Network Security Requirements and Business Needs

2
Webinar

FTP, FTPS & SFTP: Which Protocol Should You Use, and When?

3
Webinar

2021: The Year Zero Trust Overtakes VPN?

4
Webinar

Becoming a Next-Gen CISO: Leading from the Front

5
Webinar

The Top Five Security Metrics

6
Webinar

2020 Cybersecurity Headlines in Review

1
News Feature

The Growing Threat of #COVID19 Vaccine Phishing Scams

2
Blog

Taking the First Steps Toward Self-Repairing Endpoints

3
Opinion

Privacy Post-COVID: Predictions for 2021

4
Opinion

#HowTo: Build a Business Case for Cybersecurity Investment

5
Webinar

2021: The Year Zero Trust Overtakes VPN?