Top-Ranked Gambling App, Clubillion, Risks Millions of Users' Data Due to Breach

A gambling app, used by millions, fell victim to a cyber attack. That resulted in a massive leak threatening the private data of countless users.

The app bears the name Clubillion, and it's a gambling app. It's a free online casino game that you can get for both Android and iOS. The app got released last year, 2019, but don't let its short lifespan fool you – it was an immediate hit among users. It has mustered a high rating, and a rank of #1 'social slots' casino app on both Google Play and the App Store.

What Happened?

How was it possible to leak so much private information? Well, the entire structure of the app made it, so users were vulnerable from the get-go. The breach originated in a technical database. One built on an Elasticsearch engine and hosted on Amazon Web Services (AWS). It recorded the daily activities of all Clubillion players. That's millions of users from all over the world.

We have a relative timeline of the breach – when it got discovered and such. You can see it below.

  • Date discovered: 19th March 2020
  • Date vendors contacted: 23rd March 2020
  • Date of contact with Amazon Web Services (AWS): 31st March 2020
  • Date of Action: Approx. 5th April 2020

Timeline of events. Source: vpnmentor.com

The hackers not only gained access to those details (users' daily activities) but also to their private data, which had also gotten stored on the same database. The database collected information from all iOS and Android devices, and meticulously logged all user activity. You can see a few examples below.

  • "enter game"
  • "win"
  • "lose"
  • "update account"
  • "create account"

Example of logged records. Source: vpnmentor.com

Experts continued to observe the database and noticed new entries proceeded to appear. Their observation proved there had been about 200 million records made each day. Some days even exceeded that number.

To put the breach into numbers, it would mean that over 50GB of records got exposed per day from that database.

The users' information had been, pretty much, publicly available. Clubillion players had been unaware that they were in such grave danger of hacks and leaks, and all manner of dangerous online attacks.

Hackers managed to get their hands on an array of user Personally Identifiable Information (PII), including but not limited to IP addresses, winnings, email addresses, and even private messages.

You can see in the code snippet below how user email addresses got exposed.

Fig.1
Code displaying the exposure of user email addresses to the public. Source: vpnmentor.com

Global Exposure

The Clubillion data breach is global. It affected users from a variety of countries. Below, you'll find a list of names and numbers displaying only some of the countries struck by the breach, and the average number of users per day, for the respective country.

  • USA – 10,000+
  • UK – 2,475+
  • France – 1,650+
  • Israel – 408+
  • Germany – 1,582+
  • Spain – 1,026+
  • Italy – 2,407+
  • Netherlands – 622+
  • Australia – 6,251+
  • Canada – 7,792+
  • Brazil – 3,859+
  • Sweden – 191+
  • Russia – 547+

Countries and their respective number of daily Clubillion users. Source: vpnmentor.com

Other affected places include Austria, Hungary, India, Indonesia, Latvia, Lebanon, Pakistan, Philippines, Poland, Romania, Thailand, Uzbekistan, and Vietnam.

Researchers conducted a study of 23,000 free gambling apps, which led to the discovery that 3,200 posed a 'moderate risk' to users, 379 had known security vulnerabilities, and 52 had malware. That may not seem an impressive number, but think of the hundreds, thousands, and millions of users affected.

A Preferred Target

Gambling apps like Clubillion, and gambling sites, in general, are particularly prone to cyber-attacks. Since these types of services (online gambling) are known for their lack of transparency, cybercriminals tend to prefer them as victims. Hackers prey on them for data theft, as well as for embedding malware on users' devices. And, users get left to guess what precautions these services are taking against attacks.

The private information cyber-attackers steal can later get used for a plethora of nefarious purposes. Like, extortion and even attempts at identity fraud, to name a few. Not to mention, crooks can send out targeted phishing campaigns against users, whose data they managed to get a hold of; it can be quite helpful in their scams. Since the hackers would have gotten a lot of personal details from users, they can trick them with much more ease.

They can get players to provide further information and even their financial data. Like, tricking them into 'confirming' a transaction for which you must provide credit card details. At the very least, they can attempt to get users to click a link that would prove corrupted and lead to even more trouble. Malicious links may land malware on your device. You can end up with spyware or ransomware, neither of which is a desirable option.

If crooks manage to embed malware on your phone, that presents yet another array of issues. They can end up hacking other apps, as well. They can make calls and send texts, and use your contact list to steal information on your closest people.

Be Wary and Don’t Put Yourself at Risk!

While users face a plethora of risks due to the data breach, Clubillion faces a loss of users and potential removal from Google Play and the App Store. As of the writing of this article, that has not happened, and the app remains available for download.

Clubillion's developers should have been more careful with the online security for their app and the database. If they had been, that breach could have gotten avoided. A few basic steps could have protected their users from cybercriminals.

You can find some prominent yet simple measures that could have helped in this scenario, below.

  • Securing their servers.
  • Implementing proper access rules.
  • Never leaving a system that doesn't require authentication open to the internet.
  • Any company can replicate the same steps, no matter its size

Measures to defend from cyber-attacks. Source: vpnmentor.com

If you wish to avoid placing yourself and your information in jeopardy, be cautious. Be careful who you provide with what data. Not all sites and apps deserve access to your details. Make sure to trust only reliable and secured applications and websites.

By Kole
July 21, 2020
Computer Security
English
July 21, 2020
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

5 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

A Data Breach Affecting 21 Million Users Hits Timehop App

Timehop is an application that reminds you how embarrassing your old tweets and Facebook statuses are. It's now time for Timehop's creators to feel embarrassed because thanks to their sloppy security practices, they... Read more

July 11, 2018
News

Thousands of PhotoSquared Users Are Facing a Data Breach

As some of you may know by now, Noam Rotem and Ran Locar lead a team of researchers at VPN Mentor that is tasked with a large-scale web mapping project designed to uncover and secure poorly protected databases that... Read more

February 18, 2020
News

Hackers Breach Mixcloud and Sell Users' Data Online

After they breach an online service or a website, hackers usually try to monetize the data they've stolen by selling it either on the dark web or on one of the many hacking forums that are indexed by Google and are... Read more

December 3, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.