Top-Ranked Gambling App, Clubillion, Risks Millions of Users' Data Due to Breach

A gambling app, used by millions, fell victim to a cyber attack. That resulted in a massive leak threatening the private data of countless users.

The app bears the name Clubillion, and it's a gambling app. It's a free online casino game that you can get for both Android and iOS. The app got released last year, 2019, but don't let its short lifespan fool you – it was an immediate hit among users. It has mustered a high rating, and a rank of #1 'social slots' casino app on both Google Play and the App Store.

What Happened?

How was it possible to leak so much private information? Well, the entire structure of the app made it, so users were vulnerable from the get-go. The breach originated in a technical database. One built on an Elasticsearch engine and hosted on Amazon Web Services (AWS). It recorded the daily activities of all Clubillion players. That's millions of users from all over the world.

We have a relative timeline of the breach – when it got discovered and such. You can see it below.

  • Date discovered: 19th March 2020
  • Date vendors contacted: 23rd March 2020
  • Date of contact with Amazon Web Services (AWS): 31st March 2020
  • Date of Action: Approx. 5th April 2020

Timeline of events. Source: vpnmentor.com

The hackers not only gained access to those details (users' daily activities) but also to their private data, which had also gotten stored on the same database. The database collected information from all iOS and Android devices, and meticulously logged all user activity. You can see a few examples below.

  • "enter game"
  • "win"
  • "lose"
  • "update account"
  • "create account"

Example of logged records. Source: vpnmentor.com

Experts continued to observe the database and noticed new entries proceeded to appear. Their observation proved there had been about 200 million records made each day. Some days even exceeded that number.

To put the breach into numbers, it would mean that over 50GB of records got exposed per day from that database.

The users' information had been, pretty much, publicly available. Clubillion players had been unaware that they were in such grave danger of hacks and leaks, and all manner of dangerous online attacks.

Hackers managed to get their hands on an array of user Personally Identifiable Information (PII), including but not limited to IP addresses, winnings, email addresses, and even private messages.

You can see in the code snippet below how user email addresses got exposed.

Fig.1
Code displaying the exposure of user email addresses to the public. Source: vpnmentor.com

Global Exposure

The Clubillion data breach is global. It affected users from a variety of countries. Below, you'll find a list of names and numbers displaying only some of the countries struck by the breach, and the average number of users per day, for the respective country.

  • USA – 10,000+
  • UK – 2,475+
  • France – 1,650+
  • Israel – 408+
  • Germany – 1,582+
  • Spain – 1,026+
  • Italy – 2,407+
  • Netherlands – 622+
  • Australia – 6,251+
  • Canada – 7,792+
  • Brazil – 3,859+
  • Sweden – 191+
  • Russia – 547+

Countries and their respective number of daily Clubillion users. Source: vpnmentor.com

Other affected places include Austria, Hungary, India, Indonesia, Latvia, Lebanon, Pakistan, Philippines, Poland, Romania, Thailand, Uzbekistan, and Vietnam.

Researchers conducted a study of 23,000 free gambling apps, which led to the discovery that 3,200 posed a 'moderate risk' to users, 379 had known security vulnerabilities, and 52 had malware. That may not seem an impressive number, but think of the hundreds, thousands, and millions of users affected.

A Preferred Target

Gambling apps like Clubillion, and gambling sites, in general, are particularly prone to cyber-attacks. Since these types of services (online gambling) are known for their lack of transparency, cybercriminals tend to prefer them as victims. Hackers prey on them for data theft, as well as for embedding malware on users' devices. And, users get left to guess what precautions these services are taking against attacks.

The private information cyber-attackers steal can later get used for a plethora of nefarious purposes. Like, extortion and even attempts at identity fraud, to name a few. Not to mention, crooks can send out targeted phishing campaigns against users, whose data they managed to get a hold of; it can be quite helpful in their scams. Since the hackers would have gotten a lot of personal details from users, they can trick them with much more ease.

They can get players to provide further information and even their financial data. Like, tricking them into 'confirming' a transaction for which you must provide credit card details. At the very least, they can attempt to get users to click a link that would prove corrupted and lead to even more trouble. Malicious links may land malware on your device. You can end up with spyware or ransomware, neither of which is a desirable option.

If crooks manage to embed malware on your phone, that presents yet another array of issues. They can end up hacking other apps, as well. They can make calls and send texts, and use your contact list to steal information on your closest people.

Be Wary and Don't Put Yourself at Risk!

While users face a plethora of risks due to the data breach, Clubillion faces a loss of users and potential removal from Google Play and the App Store. As of the writing of this article, that has not happened, and the app remains available for download.

Clubillion's developers should have been more careful with the online security for their app and the database. If they had been, that breach could have gotten avoided. A few basic steps could have protected their users from cybercriminals.

You can find some prominent yet simple measures that could have helped in this scenario, below.

  • Securing their servers.
  • Implementing proper access rules.
  • Never leaving a system that doesn't require authentication open to the internet.
  • Any company can replicate the same steps, no matter its size

Measures to defend from cyber-attacks. Source: vpnmentor.com

If you wish to avoid placing yourself and your information in jeopardy, be cautious. Be careful who you provide with what data. Not all sites and apps deserve access to your details. Make sure to trust only reliable and secured applications and websites.

July 21, 2020

Leave a Reply