Clubillion, the number one ranked casino gaming app on Android and iOS, leaked daily activities as well as personal data of millions of users via a misconfigured Elasticsearch database that was accessible to third parties.
The massive data leak was discovered by researchers Noam Rotem and Ran Locar at vpnMentor who found that the exposed database, which was hosted on AWS, contained technical logs for millions of Clubillion users around the world.
The technical database built on an Elasticsearch engine was set up to store daily activity logs from both Android and iOS apps and was updated with up to 200 million records per day that took up 50GB of space.
While the daily activity logs included user activity records such as entering a game, winning, losing, updating an account, and creating an account, the logs also contained Personally Identifiable Information (PII) such as IP addresses, email addresses, private messages, and winnings.
The researchers said that Clubillion is used by a large number of users across Europe, averaging 2,475 daily active users in the UK, 1,582 in Germany, 1,650 in France, 2,407 in Italy, and 1,026 daily active users in Spain.
The Android and iOS apps of Clubillion also enjoyed more than ten thousand daily active users in the U.S., 7,792 in Canada, 6,251 in Australia, and also had millions of users from countries like Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia. As such, the exposed database leaked daily activity records of people from all over the globe.
The exposed database was discovered by security researchers on 19th March and public access to it was finally closed around 5th April after the researchers contacted AWS after failing to get a response from developers of the app.
Clubillion data leak could expose millions to phishing and hacking attacks
"Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users. One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software," vpnMentor said.
"If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.
Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant," the firm added.
Commenting on the massive leak of Clubillion records, Michael Barragry, Operations Lead and Security Consultant at Edgescan, said that gambling apps and their users represent attractive targets for hackers. Within the distribution of users, there will be a subset who are not at all risk-averse and are out to make a quick buck – and maybe prime targets for spear-phishing attacks and similar.
"Apps are always harvesting live analytics from their users to further customise their service around latest trends – the fact that this included IP addresses and email addresses made this especially valuable to an attacker looking to customise further, more targeted attacks.
"Gambling apps should assess which information they actually need as part of their analytics, and keep it to the minimum. It’s not clear how the database was compromised, but DB security best practices should always be followed," he added.