Football Fans’ Data Exposed Through Bucket Misconfiguration
WizCase uncovered a significant amount of personal data exposed by a popular Mexican fantasy football site, Fut Fantastico. The breach revealed various parts of identifiable information, including the full names, email addresses, dates of birth, IP addresses, and more, of over 150,000 both active and inactive users. The misconfigured bucket has been secured after we sent responsible disclosure emails to the company but received no response.
What’s Going on?
Fut Fantastico is an online platform for football fans offering a virtual ‘dream team’ management experience. The site is owned by a highly-popular Latin American mass media company, Televisa.
Our team of white hat hackers, with Avishai Efrat at the lead, discovered a misconfigured Amazon S3 bucket with user data identified as part of the Fut Fantastico platform. The bucket name revealed the initials of the Televisa Interactive Media and seems to have been used to store user data, including saved images from the fantasy gaming app. The bucket also exposed what seems to be an old Fut Fantastico promo video.
The misconfigured bucket also contained 2 CSV files which exposed personally identifiable information of a large group of users, such as:
- Full name
- Email address
- Date of birth
- Date of user registration
- Recently used IP address
- Notification settings
- Last login date and time
- In-game statistics
Whose Data was Exposed and What are the Consequences?
Our team discovered a misconfigured public Amazon bucket with over 150,000 registered Mexican users registered between 2017-2019.
The misconfigured bucket could allow scammers and criminals unrestricted access to various personal information. From the exposed data, an unauthorized person can find out, among other details, a user’s name and location. This breach of privacy could pose big threats to everyone involved.
These threats include (but are in no way limited to):
- Fraud and identity theft: With personal details readily available, hackers can use them for fraudulent activities or to make new identities. The latter can assist in creating new bank accounts, take over existing ones, purchase illegal items, or even acquire legit legal documents such as passports or driving licenses.
- Phishing scams and malicious emails: Scammers manipulate users’ data in order to establish trust and trick them into providing additional valuable information, like credit card numbers or passwords. Unsuspecting victims are also more likely to click on malicious phishing links or malware attached in emails. While phishing scams are used to collect sensitive information, downloading malware can have catastrophic consequences as it may even allow attackers to take full control of their devices.
- Business espionage: The exposed database could have allowed various competitor companies to target Fut Fantastico users. This could have been done through sending detailed promotional emails with exclusive deals to get users to migrate to their platforms.
What Can I Do to Protect My Data?
Any company that handles private vulnerable data should make protecting the databases their top priority. Unfortunately, data leaks and breaches are becoming a much more common scenario these days.
Even if your Fut Fantastico account is now inactive, watch out for unusual and suspicious emails. Double-check each email address before responding and, if in doubt, confirm with the company itself that an email is genuine. Should you come across a message you believe to be malicious, report it straight away.
If you have an active Fut Fantastico account, be aware of what personal details you input. As a general rule, always think carefully about which information you’re willing to share regardless of how safe you think the website is. Once your data is saved on the internet, there’s always a possibility it’ll be exposed in a data breach.
Additionally, we highly recommend downloading a VPN and a reliable antivirus software for stronger device security. Both programs will protect your device from accidentally downloading malware, phishing attacks, and many other cybercrimes. Moreover, a VPN provides you with a completely different IP address. This would have successfully hide your virtual location exposed in the Fut Fantastico data leak.
Who Is WizCase?
WizCase is one of the most popular international online security news sources. We provide up-to-date insights into staying safe on the internet, including honest and real VPN reviews and tutorials. Our team of hacktivists regularly uncover data leaks of all sizes — including some of the biggest breaches in the world, like unsecured webcams or dating site scandals. Together, we report the issues to the companies involved as well as the public for a safer and more secure online environment for everyone.