BetVictor Leaked a Password List for Its Internal System on the Betting Platform

BetVictor

The FIFA World Cup is in full swing at the moment which means that soccer (or football) fans are being treated to 96 hours of the beautiful game in the span of just over a month. That's 64 games in 32 days, and the fans aren't the only ones getting excited. Bookmakers are also rubbing hands, expecting record-breaking revenues and profits. For the people running BetVictor, an online betting platform headquartered in Gibraltar, however, things are a little bit different because it was discovered that up until not that long ago, their website was leaving quite a lot of extremely sensitive information completely exposed.

A silly mistake shows how BetVictor’s customer service agents are trained

The data was found by security researcher Chris Hogben who was visiting BetVictor's website in the same way a regular user would. In his blog post, Hogben said that he was having some problems with the platform and was trying to resolve them. He found the knowledge base section and set about using the search box to find the answers to his questions.

He ended up looking at things he wasn't supposed to be looking at. It was an article that told customer service agents how to handle various queries coming from clients. The screenshot Hogben posted shows some tricks designed to calm BetVictor's unhappy users in the hope that they'll abandon their ideas of canceling a particular service.

It's safe to assume that similar documents are a part of the customer service agents training at many companies, but they tend to be shared only among staff. Someone at BetVictor (unintentionally or not) left them exposed which is embarrassing. The online bookie's second security blunder isn't embarrassing, though. It's dangerous.

The big problems

Hogben was intrigued by the public nature of the customer service training docs, and he was wondering what else the search box could reveal. He typed in "admin" and saw some worryingly relevant results.

There was a document which, despite its "Internal" label, was visible to anyone who knew what to search for. It contained a total of 27 URLs linking to BetVictor's internal ticketing and trading systems, as well as an entry for the Experian identity verification service. It also contained 19 username and password combinations, some of which were apparently to be used at the aforementioned URLs.

Chris Hogben tried the 27 URLs and discovered that 22 of them could be visited from anywhere in the world.

An example of shocking password management

Hogben didn't test the login credentials because that would've been illegal. Having discovered them in a public place, however, there was nothing to stop him from analyzing them.

5 of the passwords were identical or nearly identical to the username they came with, and 11 of them were available in Troy Hunt's Pwned Passwords database. It would appear that the person responsible for managing those passwords made some pretty basic mistakes. Hardly ideal when you consider the fact that they're working for a betting platform used by over half a million people.

And while we're on the subject of things that are not perfect, BetVictor's handling of the problem left a lot to be desired as well.

We still don’t know how big the incident could have been

The communication between Chris Hogben and BetVictor shows that the company's representatives weren't very talkative. Asked by the media, they did say that the internal documents, which were part of a customer service help section, have been removed. They also said that an investigation is ongoing.

What they didn't say is whether any user information could be stolen from the internal systems that were left out in the open. We're pretty sure that the people responsible for enforcing EU's new GDPR regulations would be happy to hear that as well.

BetVictor got lucky

There's no evidence of someone with bad intentions getting their hands on the login credentials and internal URLs and using them to actually do damage, so it's safe to say that the people at BetVictor can breathe a sigh of relief. Users, however, can't do that.

The whole fiasco shows how sloppy some companies are when it comes to handling sensitive information.

By Duran
June 29, 2018
News
English
June 29, 2018
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Password Security

When Can a Password Be Considered Secure?

1990's spy movies might have you believe that cracking a password involves a nimble-fingered person sitting in front of a computer, trying out different combinations until the green "Access Granted" message appears.... Read more

May 10, 2018
Tips

I Forgot My Cyclonis Password Manager Master Password. What Do I Do?

You might be wondering, 'Why would I want to store my passwords with Cyclonis Password Manager when Google Chrome can do the same thing for me?' There are a couple of good reasons for choosing a dedicated app like... Read more

March 28, 2018
How To

How to Use Cyclonis Password Manager's Password Generator to Replace Weak Passwords With Complex Ones

How do you know when a password needs changing? And how do you know what it should be changed with? Cyclonis Password Manager has the answers to these questions. Every single password you save in your vault is... Read more

March 27, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.