According to vpnMentor, a massive data leak on the popular gambling app Cubillion has exposed personal details and daily activities of millions of app users.
The unguarded database was housed on a misconfigured Elastisearch engine and recorded as many as 200 actions per day or over 50GB of data. This included technical activities of both iOS and Android users globally.
Each time that an individual performed a particular action on the app, a record was logged, registering things such as creation and updating of accounts, game statuses, email and IP addresses, amounts of winnings and private messages.
The data leak has affected users from all parts of the world, with many countries identifying higher than regular user activity (e.g. daily users exceeded 7,700 for Canada, which is way above standard numbers). The breach was eventually detected on 19 March. Shortly after that, all public access was closed off after the matter was brought to the attention of Amazon Web Services.
The Repercussions
vpnMentor has emphasized that free gaming and gambling applications are often exposed to cyberattacks from online criminals. These felons embed malicious software to gain access to user devices and gather private user info.
“If cybercriminals used Clubillion to embed malware onto a user’s smartphone, they could hack other apps, access files stored on the device, send texts, and make calls from the hacked device,” researchers revealed. “Even worse, as people across the globe find themselves under quarantine or self-isolation as a result of the COVID-19 pandemic, the impact of this type of leak is even more significant.”
When in possession of leaked information, the attacker can target users using methods such as phishing campaigns, further creating financial and data exposure. On the other hand, developers are at risk of losing millions of their existing clients due to penalties that might be issued by regulatory bodies that oversee the implementation of privacy policies.
The research also paints a bleak picture for the app itself, with both App Store and Google Play removing the application from their repertoires. As it stands, both Google and Apple are proactively clamping down on those apps that are deemed risky to their users.
Apps that are embedded with malware have been their primary target, although data leaks are bound to be treated with even greater severity. It remains to be seen whether Clubillion can weather this storm or if it will become yet another in the long list of banned apps.
