23M Gamer Records Exposed in VIPGames Leak

The personal data of 66,000 users was left wide open on a misconfigured Elasticsearch server, joining a growing list of companies with leaky clouds.


VIPGames, a free platform with a total of 56 available classic board and card games like Hearts, Crazy Eights, Euchre, Dominoes, Backgammon and others, has exposed the personal data of tens of thousands of users. While the game publisher acknowledges the potential for user data exfiltration, it maintains that there is no evidence data was actually leaked.

In all, more than 23 million records for more than 66,000 users were left exposed thanks to a cloud misconfiguration, according to a report from WizCase. Aside from its desktop users, VIPGames has mobile players too, including via an app that’s been downloaded from the Google Play store more than 100,000 times alone.

The site joins a growing list of companies caught without properly configured clouds which can lead to disastrous results for customers.

In a statement, released after this original Threatpost report was published, VIPGames acknowledged “an issue that potentially exposed user profiles” but stated it wasn’t aware any user data was leaked.

“We would like to clarify that this was a temporary misconfiguration, NOT an attack, hack, or breach. There are no records of any data being leaked. This misconfiguration was disclosed to us by a team of white hat penetration testers,” the company publicly stated. “The misconfiguration was resolved in less than two hours. Information about this was responsibly disclosed by the team at WizCase – cyber security research team.”

The WizCase research team, led by Ata Hackl, regularly scans the internet for open servers and found the sensitive personal information exposed and available to any cybercriminal who happened to stumble across it.

Online gaming represents a particularly desirable set of personal details for cybercriminals, the report explained.

Leaky Gamer Clouds Particularly Dangerous

“Online gaming brings together user personal information, transaction details and gaming habits. This fusion of confidential information creates a lucrative environment for cybercriminals to exploit,” the WizCase report explained. “Gaming platforms routinely experience multiple attacks from hackers, sabotage from competing platforms, intra-platform attacks by players targeting the Internet connections of rival users, and more.”

In this case, the site’s unprotected server leaked more than 30GB of data containing 23 million individual records, including usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and even data on players who were banned from the platform, WizCase said.

“Each of these data sets is not just valuable on its own but can also be used to map out other information,” the report explained. “For example, from the player IDs, it’s possible for an attacker to locate the player’s email address, IP address and hashed password, which is particularly relevant for the banned players.”

The report added that the VIPGames Terms of Use explains players can be blocked from the platform for bad behavior or cheating, and that the exposed records included the dirty details of each infraction.

“Some of these included potential pedophilia and exhibitionism,” WizCase said, adding potential blackmail to the list of threats the exposed data posed to users, in addition to identity theft, password breaches, phishing scams, malware and more.

“Their report brought to attention an Elasticsearch server misconfiguration that occurred with one of our servers that was part of our backup log and stored user data older than six months. The event took place on October 5th, and it was resolved within two hours by our team,” VIPGames said in its statement. “We have since revised our stack to no longer include this type of data storage in any of our environments. Additionally, our team has implemented further improvements to secure all user data.”

This breach represents a wider trend of companies failing to lock-down their data in the cloud.

Misconfigured Clouds Are Everywhere

Last September high-end gaming gear company Razer left the personal data of about 100,000 users exposed on a similar Elasticsearch cloud cluster.

That same month, a group of 70 different adult dating sites was also discovered to be storing sensitive personal data — like sexual preferences — on an unsecured Elasticsearch server, leaking more than 320 million individual records.

In April, the Key Ring digital wallet app exposed 44 million customer records including IDs, charge cards, loyalty cards, gift cards and membership cards left open on an Amazon Web Services S3 server. And last summer, Joomla exposed the data of 2,700 people signed up for the Joomla Resources Directory community forum in an unsecured Amazon Web Services cloud storage bucket.

Palo Alto Networks’ Unit 42 estimates about 60 percent of breaches occur because of misconfigured public clouds.

Ryan Olson, vice president of threat intelligence with the Unit 42 team, explained that while 86 percent of companies deploy cloud apps, only 34 percent have “single sign-on (SSO) solutions in place, demonstrating a massive gap in cloud adoption and necessary cloud-security solutions.”

As for users, experts agree basic best practices for online security are always a good idea — be careful about what you share, avoid clicking on suspicious emails or links and proper password hygiene are important, WizCase advised. The firm also suggested using a VPN service to keep location data secure and install good antivirus software while the industry struggles to keep up.

“The use of the cloud enables organizations to reach their goals and scale with ease,” Anurag Kahol, CTO at Bitglass, said via email. “As more organizations adopt cloud-based tools to obtain a competitive advantage, the rate of cloud-application usage increases in tandem. However, most organizations are not equipped to handle the security demands of the cloud.”

(This article was updated on 2/2/21 to reflect the public statement by VIPGames regarding the incident.)

Suggested articles