Thousands of User Profiles Exposed in Gaming Website Data Breach
The WizCase team of white hat hackers led by Ata Hakcil discovered a data breach on a popular online card and board gaming website, VIPGames.com. Millions of records including the profiles of thousands of users were exposed. The compromised information included usernames, emails, device details, IP addresses, hashed passwords, social media IDs, in-game transaction details, bets, banned players and more.
If such data had fallen into the hands of cybercriminals, it could have been exploited for identity theft, fraud, phishing, scamming, espionage and malware infestation. The leak was discovered as part of WizCase’ research project that randomly looked for open servers and sought to understand what data these servers contained. We contacted VIPGames.com as soon as we identified them, so they could secure the data.
What’s Going On
Online gaming has rapidly grown in popularity with the global industry projected to surpass $200 billion in revenue by 2023. But as gaming’s reach has grown, so has the volume and sensitivity of data that gaming platforms hold.
Online gaming brings together user personal information, transaction details and gaming habits. This fusion of confidential information creates a lucrative environment for cybercriminals to exploit. Gaming platforms routinely experience multiple attacks from hackers, sabotage from competing platforms, intra-platform attacks by players targeting the Internet connections of rival users, and more.
Our cybersecurity team found that confidential data on VIPGames.com was accessible to the public and could be viewed by anyone with the URL of the ElasticSearch server, left open without any password protection or encryption. The breach of privacy poses a major threat to VIPGames.com and its users. Game user information should be well secured if platforms like VIPGames.com are to avoid becoming the target of a cyberattack.
Who is VIPGames.com
VIPGames.com is a free to play online card and board game platform accessible via the website or the mobile app. It is owned by Casualino JSC, a game development studio that also runs other online card and board game platforms including VIPSpades.com, VIPBelote.fr, Belot.bg, VIPJalsat.com and VIPBaloot.com. While Casualino’s headquarters is in Varna, Bulgaria, the VIPGames.com platform is available worldwide.
The VIPGames.com platform draws over 20,000 active daily players. Among its most popular games are Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo and Yatzy. The mobile app has been downloaded more than 100,000 times on Google Play Store as at December 2020.
What Data Was Leaked?
More than 30GB of data was leaked. It comprised over 66,000 user profiles and 23 million records. The information exposed included usernames, emails, device details, IP addresses, hashed passwords, Facebook IDs, Twitter IDs, Google IDs, in-game transaction details, bets and details regarding banned players.
Sample User Profile
Data related to banned user
Number of Visible User Records vs Non-Anonymous Number of User Records
What Does It Mean for VIPGames.com and Its Users?
The main threats for VIPGames.com and its users include:
1. Identity Theft and Fraud
If a cybercriminal is privy to a user’s information such as their email address and social media IDs (Facebook, Twitter or Google ID in this case), they can infer the person’s full name, recreate their identity and use it for fraud. Also, a hacker could recreate a dummy profile (also known as catfishing) through which they would deceive or harass other users in your name.
2. Password Breach
VIPGames.com’s exposed hashed passwords rely on the Bcrypt hashing algorithm using 10 rounds. Whereas cracking a 10-round Bcrypt password is time consuming, it is not impossible. If an attacker manages to break the password hash, they could try it on other platforms since many users will have the same password on multiple platforms for ease of remembering. Users who have more complex passwords are however generally safe.
3. Scams, Phishing and Malware
Armed with your personal information, a cybercriminal can create an account that they use to lay the foundation for a phishing attack. They will sound more convincing when they request for information over the phone or by redirecting their target to a scam URL. Their target will be more trusting and have no qualms providing the additional information they are requested for.
A hacker could obtain a banned user’s email address and social media IDs then use the reason given for the ban for extortion or revenge. For instance, a player who was banned for possible pedophile behavior could be tricked into a physical meeting with vigilantes. If a user was banned for exhbitionism, someone who knows their email address or social media accounts could threaten to expose them.
Also, given bans are ultimately at the moderators’ discretion, a banned player’s personal reputation may be ruined if the accusation was without merit.
Note that this list of risks is not exhaustive. Cybercriminals are constantly looking for new ways of leveraging confidential information in cyberattacks.
If You Are A VIPGames.com User, What Can You Do?
1. Beware of What You Share
Be vigilant about the data you share on websites you sign up on that request for sensitive data. Go for the bare minimum. Do not share any data that you do not have to. Do not use your personal details on any website that isn’t SSL/TLS secured (i.e. has a HTTPS address). If you have a user profile on VIPGames.com, re-evaluate the information you have shared there.
2. Proper Password Use
We recommend you immediately change your password on both VIPGames.com and any other platform where you use the same login credentials. Going forward, use complex passwords, use a password vault and do not reuse passwords.
3. Check for Unusual Activity
Check other websites you are active on for unusual activity. It could be something seemingly insignificant but that just might be a signal that something much more sinister is going on. If you run into anything suspicious, report it promptly, change your password and, where possible, add two-factor authentication.
4. Do Not Open Suspicious Emails, Attachments or Links
Unless you are certain of the sender of an email, do not open any attachment in the message or click any links therein. Usually, an attacker would use this to send you to a malicious website or download malware. Whenever you receive an email that includes an attachment, a link you are urged to click on or requests you to share confidential information, check the sender’s email address. As a precaution, get in touch with the company it seems to be from directly to confirm that it is legitimate.
5. Do Not Share Confidential Information Over the Phone, Email or Online
Scammers may use the information they already know about you as a basis for extracting more confidential data from you. Do not share confidential information via channels that do not require any authentication from you such as phone call or email. No reputable organization would ask you to share personal information via such insecure means. Call back the company via their official phone numbers to confirm that the call or email is indeed from them.
6. Use a VPN
The VIP.com leaked IP addresses. These can be used to track a user’s location. You can change or mask your device’s IP by using a VPN service. This allows you to create an encrypted tunnel to a VPN service provider of your choosing. This prevents anyone who stumbles on the IP address from knowing your exact location.
7. Install an Antivirus
Install an antivirus software to bolster your device’s security. This will greatly enhance your ability to detect and remove malicious programs such as spyware, viruses, and Trojans. Many antivirus applications come equipped with software that scans emails for phishing signs.
Why Should You Trust WizCase?
WizCase is devoted to Internet safety and online freedom. Translated in 30 languages, we help people and organizations across the globe protect themselves on the worldwide web. We discover and report on new website vulnerabilities and data breaches. Our quality reports have attracted thousands of regular readers over a relatively short period. Before we publish any report, we contact the affected organization to notify them of the issue. This ensures any vulnerabilities and leaks are secured to protect the users and confidential data involved.
“The security team of VIP Games recently made a thorough investigation of an issue that potentially exposed user profiles and bans issued. The misconfiguration was resolved in less than two hours. Information about this was responsibly disclosed by the team at WizCase – cyber security research team.
Their report brought to attention an Elasticsearch server misconfiguration that occurred with one of our servers that was part of our backup log and stored user data older than six months. The event took place on October 5th, and it was resolved within two hours by our team. Sensitive information was not compromised during the aforementioned time frame. User IDs, transactions IDs and social tokens only make sense in our application and can not be used to trace or uncover the identity of the user that was registered or banned by us.
We have since revised our stack to no longer include this type of data storage in any of our environments. Additionally, our team has implemented further improvements to secure all user data.
VIP Games considers the privacy, protection and security of its users as the highest priority and most important task.
We also take into consideration the nature of our audience: socially active gaming fans. The majority of which are proactive and seek no less than a perfect experience within our platform.
We, the VIP Games team, would like to extend our thanks and apologies for the minor lapse, and to assure everyone that we have taken all necessary steps to resolve the issue. We have conducted a comprehensive review of our IT and security systems, and we remain dedicated to the protection and safety of our gaming community.”