A New Data Breach Affects Multiple Online Casinos
In theory, the constant stream of news about leaked data should raise awareness not only among users but also among service providers who can take these incidents as valuable lessons and learn from other people's mistakes. In reality, this doesn't seem to be happening. Case in point – the data breach that affected the users of several online casinos.
Justin Paine, Cloudflare's Director of Trust & Safety, was the specialist that first noticed the exposed information last week. It's a treasure trove of data that contains users' names, email addresses, usernames, phone numbers, dates of birth, account balances, IP addresses, and browser and OS information. In addition to the personal data, Paine also found 108 million records that contained information on wins, withdrawals, and deposits. This is particularly worrying for the people affected, but before we get into more details, let's take a look at what happened and who is responsible.
Childish mistakes lead to data breaches
Paine didn't find the data on the dark web. It wasn't traded for a few bitcoins, and it's not clear whether any cybercriminals accessed it at all. The information was actually hosted on an ElasticSearch server that was connected to the internet and was not protected by a password. In other words, it was accessible to anyone with a browser and an internet connection, and nobody knows for how long.
ElasticSearch is an open source search engine that helps companies organize and search through large amounts of data. If the data is particularly sensitive, sysadmins can keep ElasticSearch servers on an internal network, and when they do need to put them on the internet, they can place them behind a password. For reasons that are not entirely clear, however, the people responsible for this particular database made a foolish configuration mistake and left the information completely exposed. But who are these people?
Justin Paine enlisted the help of ZDNet in trying to find the owner of the ElasticSearch server. Apparently, the data belongs to several online casinos owned by companies based in Cyprus and Curacao. The full list of domains wasn't published, but ZDNet's report says that easybet.com, kahunacasino.com, azur-casino.com, and viproomcasino.net are among the affected gambling sites. If you've used any of them, you might want to pay a bit more attention from now on.
The breach puts gamblers at risk
There is some good news. It's unclear whether the owners of the websites acted upon Paine's notification, or whether OVH, the provider that hosted the database, took it down, but the fact of the matter is, the data is no longer accessible. What's more, although the 108 million records did contain some payment information, it was redacted meaning that the full details haven't been exposed.
What was leaked, however, was personal and contact data of users who have won what could be a significant amount of money on an online platform. This makes them prime targets for all sorts of scams meaning that they should be especially careful in the wake of this breach.
This isn't the first time data has been exposed because of a simple configuration error, and we wouldn't bet on it being the last. The gigabytes of user information that is just clicks away shows that the people responsible for it should really up their game a bit and learn how to set up their databases.