A Chinese game developer has accidentally leaked nearly six million player profiles for the popular title Battle for the Galaxy after misconfiguring a cloud database, Infosecurity has learned.
AMT Games, which has produced a string of mobile and social titles with tens of millions of downloads between them, exposed 1.5TB of data via an Elasticsearch server.
A research team at reviews site WizCase found the trove, which contained 5.9 million player profiles, two million transactions, and 587,000 feedback messages.
Profiles typically feature player IDs, usernames, country, total money spent on the game, and Facebook, Apple or Google account data if the user linked these with their game account.
Feedback messages contain account IDs, feedback ratings and users' email addresses. At the same time, transaction data includes price, item purchased, time of purchase, payment provider, and sometimes buyer IP addresses, according to WizCase.
The firm warned exposed users that their data might have been picked up by opportunistic cyber-criminals searching for misconfigured databases. Data on how much money individuals have spent on the site could enable fraudsters to target the biggest spenders, it added.
WizCase warned that "it is common for unethical hackers and criminals on the internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look."
It went on add that confidential information such as email addresses and user issues with the service could enable bad actors to "pose as game support and direct users to malicious websites where their credit card details can be stolen."
The firm urged gamers to input the minimum amount of personal information possible when purchasing or setting up an account and parents not to lend children their credit cards.
WizCase said it reached out to AMT Games with news of the data breach but did not receive a response. The company later disabled access to the database.