23M Gamer Records Exposed in VIPGames Leak

VIPGames.com, a free platform with a total of 56 available classic board and card games like Hearts, Crazy Eights, Euchre, Dominoes, Backgammon and others, has exposed the personal data of tens of thousands of users.

In all, more than 23 million records for more than 66,000 users were left exposed thanks to a cloud misconfiguration, according to a new report from WizCase. Aside from its desktop users, VIPGames has mobile players too, including via an app that’s been downloaded from the Google Play store more than 100,000 times alone.

The site joins a growing list of companies caught without properly configurated clouds which can lead to disastrous results for customers.

The WizCase research team, led by Ata Hackl, regularly scans the internet for open servers and found the sensitive personal information exposed and available to any cybercriminal who happened to stumble across it.

Online gaming represents a particularly desirable set of personal details for cybercriminals, the report explained.

Leaky Gamer Clouds Particularly Dangerous

“Online gaming brings together user personal information, transaction details and gaming habits. This fusion of confidential information creates a lucrative environment for cybercriminals to exploit,” the WizCase report explained. “Gaming platforms routinely experience multiple attacks from hackers, sabotage from competing platforms, intra-platform attacks by players targeting the Internet connections of rival users, and more.”

In this case, the site’s unprotected server leaked more than 30GB of data containing 23 million individual records, including usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and even data on players who were banned from the platform, WizCase said.

“Each of these data sets is not just valuable on its own but can also be used to map out other information,” the report explained. “For example, from the player IDs, it’s possible for an attacker to locate the player’s email address, IP address and hashed password, which is particularly relevant for the banned players.”

The report added that the VIPGames.com Terms of Use explains players can be blocked from the platform for bad behavior or cheating, and that the exposed records included the dirty details of each infraction.

“Some of these included potential pedophilia and exhibitionism,” WizCase said, adding potential blackmail to the list of threats the exposed data posed to users, in addition to identity theft, password breaches, phishing scams, malware and more.

Threatpost reached out to VIPGames.com for comment but hasn’t received a response.

And while this breach is alarming, it is part of a wider trend of companies failing to lock down their data in the cloud.

Misconfigured Clouds Are Everywhere

Last September high-end gaming gear company Razer left the personal data of about 100,000 users exposed on a similar Elasticsearch cloud cluster.

That same month, a group of 70 different adult dating sites was also discovered to be storing sensitive personal data — like sexual preferences — on an unsecured Elasticsearch server, leaking more than 320 million individual records.

In April, the Key Ring digital wallet app exposed 44 million customer records including IDs, charge cards, loyalty cards, gift cards and membership cards left open on an Amazon Web Services S3 server. And last summer, Joomla exposed the data of 2,700 people signed up for the Joomla Resources Directory community forum in an unsecured Amazon Web Services cloud storage bucket.

Palo Alto Networks’ Unit 42 estimates about 60 percent of breaches occur because of misconfigured public clouds.

Ryan Olson, vice president of threat intelligence with the Unit 42 team, explained that while 86 percent of companies deploy cloud apps, only 34 percent have “single sign-on (SSO) solutions in place, demonstrating a massive gap in cloud adoption and necessary cloud-security solutions.”

As for users, experts agree basic best practices for online security are always a good idea — be careful about what you share, avoid clicking on suspicious emails or links and proper password hygiene are important, WizCase advised. The firm also suggested using a VPN service to keep location data secure and install good antivirus software while the industry struggles to keep up.

“The use of the cloud enables organizations to reach their goals and scale with ease,” Anurag Kahol, CTO at Bitglass, said via email. “As more organizations adopt cloud-based tools to obtain a competitive advantage, the rate of cloud-application usage increases in tandem. However, most organizations are not equipped to handle the security demands of the cloud.”

Download our exclusiveFREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story andDOWNLOAD the eBook now** – on us!**