Tens of thousands of users have had their personal details exposed after a popular online gaming site misconfigured the Elasticsearch server they were sitting on.
A research team at WizCase found the wide-open server, with zero encryption and no password protection, through a simple search. It was traced back to VIPGames.com, a popular free-to-play card and board game platform with 100,000 Google Play downloads and roughly 20,000 active daily players globally.
The site features games such as Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo and Yatzy. Its Bulgarian developer, Casualino JSC, runs multiple similar gaming platforms including VIPSpades.com, VIPBelote.fr, Belot.bg, VIPJalsat.com and VIPBaloot.com.
Over 30GB of data was leaked in the privacy snafu, including 23 million records. In this trove, the researchers picked out 66,000 user profiles including: usernames, emails, device details, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, in-game transaction details, bets and details regarding banned players.
The passwords were hashed using the Bcrypt algorithm using 10 rounds which, while time-consuming, is not impossible for a determined attacker to crack, WizCase argued. These could then be used to try and open other sites and accounts used by the same gamers.
The firm warned that if a threat actor had found the exposed data, they could have crafted convincing phishing attacks by email or phone, using the extensive personal information in these profiles.
There was even an opportunity for blackmail of certain banned users of the site, it claimed.
“A hacker could obtain a banned user’s email address and social media IDs then use the reason given for the ban for extortion or revenge. For instance, a player who was banned for possible pedophile behavior could be tricked into a physical meeting with vigilantes,” WizCase continued.
“If a user was banned for exhibitionism, someone who knows their email address or social media accounts could threaten to expose them. Also, given bans are ultimately at the moderators’ discretion, a banned player’s personal reputation may be ruined if the accusation was without merit.”
Users were advised not to reuse passwords and to use a password manager, to be cautious of unsolicited phone calls and not reply to unsolicited emails.