Latest News
Popular Gambling App Exposed Millions of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.
The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.
Aside from leaking activity on the app, the breached database also exposed private user information.
With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.
Company Profile
Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.
Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.
Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.
- Date discovered: 19th March 2020
- Date vendors contacted: 23rd March 2020
- Date of contact with AWS: 31st March 2020
- Date of Action: Approx. 5th April 2020
Example of Entries in the Database
Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:
- “enter game”
- “win”
- “lose”
- “update account”
- “create account”
During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.
In total, this amounted to over 50GB of exposed records in the database every single day.
Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:
- IP addresses
- Email addresses
- Winnings
- Private messages
This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:
- USA – 10,000+
- UK – 2,475+
- France – 1,650+
- Israel – 408+
- Germany – 1,582+
- Spain – 1,026+
- Italy – 2,407+
- Netherlands – 622+
- Australia – 6,251+
- Canada – 7,792+
- Brazil – 3,859+
- Sweden – 191+
- Russia – 547+
Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.
As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.
Data Breach Impact
Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.
Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.
One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.
Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.
With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.
With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:
- Trick them into providing their credit card details
- Trick them into providing additional PII to be used against them in further fraud
- Clicking a link that embeds malware, spyware, or ransomware onto their device.
If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.
Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.
Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.
Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.
Impact on Clubillion and it’s Developers
The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.
With fewer players, Clubillion will lose advertising revenue and reduced profits.
As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.
Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.
Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.
Advice from the Experts
Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Securing their servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
For Clubillion Users
If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.
Our team was able to access this database because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
Ygam has strengthened its board of trustees with two appointments bringing combined expertise in governance, policy, public affairs and safeguarding.
Judy White joins the Ygam board with over 20 years of experience in governance and operational leadership across the not-for-profit sector. A Chartered Secretary, Judy has a proven track record in governance, risk management, data protection, transformation and stakeholder engagement. She most recently served as Head of Governance at the British Association for Counselling and Psychotherapy (BACP), where she oversaw governance, assurance and risk across the organisation.
Previously, Judy spent seven years at the Gambling Commission as a Senior Manager in Licensing, where she played a key role in assessing complex licensing applications. Judy’s deep understanding of governance frameworks and regulatory environments will provide crucial oversight and support as Ygam continues to grow and evolve.
Iain Corby joins alongside Judy as an experienced leader with a diverse career spanning consultancy, government policy, and the third sector. His early career included 12 years as a programme management consultant at Deloitte before transitioning into policy work.
Iain has experience working in gambling harms prevention sector, previously serving as Deputy Chief Executive of GambleAware. He is currently the founding Executive Director of the Age Verification Providers Association which prioritises child protection in the digital space. With an MBA from UCLA and a reputation for delivering performance improvements, Ian brings strategic insight, commercial acumen and a wealth of knowledge in public affairs and communications.
Mike Wocik, Chair of Ygam, said: “We are delighted to welcome Judy and Iain to the Ygam Board. Their wealth of experience and expertise will further strengthen our governance and strategic leadership, ensuring we continue to operate at the highest standards. Strong governance is the foundation of our success, and their insights will be invaluable as we grow our impact and evolve as a leader in our field. I look forward to working with them to drive our mission forward and make a lasting difference.”
Judy White said: “I’m excited to join the fantastic team at Ygam. I’m passionate about supporting children and young people, and I’ve been hugely impressed by Ygam’s position as a leader in their field, with a clear commitment to high standards of governance and impact. I look forward to engaging and collaborating with the board and staff to advance Ygam’s vision and mission, ultimately supporting children and young people in safely navigating our increasingly digital world.”
Iain Corby said: “Although it has been six years since I was at GambleAware, I have followed developments in the field from a distance and recognise this is a time of great change and opportunity with the introduction of the new levy. The growing focus on prevention has never been more important, and I look forward to supporting the board, the whole leadership team, and the impressive team that is delivering such a formidable impact for young people across the country and beyond.”
The post Ygam Welcomes Two New Trustees appeared first on European Gaming Industry News.
Narva Communications has become Svenska Spel’s new agency for corporate communications.
“We received high-quality bids from some of Sweden’s leading agencies in Corporate Communication. After a thorough evaluation process, Narva was the agency that received the highest score. They have demonstrated great strategic acumen, strong analytical skills and a very good understanding of Svenska Spel’s mission and communication needs,” Andreas Jerat, Head of Corporate Communication at Svenska Spel, said.
Narva’s assignment includes strategic communication support within Corporate Communication, Public Affairs and financial communication. The assignment also includes the production of annual and sustainability reports. The agreement is valid for two years starting in May 2025, with the possibility of extension 1 + 1 year.
“We are extremely proud that Svenska Spel has chosen Narva as a partner for its group communications. Svenska Spel is one of Sweden’s most well-known brands with an important social mission. We look forward to working with them to develop communications and help further strengthen the image of Svenska Spel as a role model for games that are offered in a safe and responsible manner,” said Frida Dahlgren, CEO of Narva Communications and account manager for Svenska Spel.
The post Narva Communications Becomes Svenska Spel’s New Agency for Corporate Communications appeared first on European Gaming Industry News.
A recent survey has confirmed that almost two out of three (63%) of Illinois residents support legalizing online casinos.
The survey, created by casino bonus and online casino review site BonusFinder.com, asked 1,000 Illinois residents their take regarding legalizing online casinos. The focus group covered voters across a variety of political backgrounds, age groups, and different geos.
Despite online casinos currently being illegal in Illinois, and the only way to access them is illegally, the survey found that one in four residents (26%) admitted to having played at an online casino.
According to a separate analysis, which delved into how much US States could be missing out on in online casino tax revenue, it revealed that Illinois could be missing out on up to $788m. Instead of going to the State, this potential tax money is being funneled to unregulated offshore gambling platforms.
When questioned, hypothetically, how residents would prefer the tax revenue to be spent they prioritized: public education (61.4%), mental health and addiction services (54.8%) and improvements in infrastructure (44%).
Other services that were still important, but less of a priority, to those questioned in the survey were: affordable housing (38%), crime prevention (33.1%), community programs (26.2%) and environmental initiatives (22.7%).
“These findings show that Illinoisans are ready for online casinos, as long as it’s done responsibly,” commented Luciano Passavanti, Vice President at BonusFinder.com.
“The message from voters is clear – they want safe, transparent platforms and strict oversight.
“They also want to know that tax revenue from online casinos will directly benefit their communities; whether that’s through education, healthcare, or local infrastructure.
“Illinois is already a major gaming market. Legalizing online casinos is the next logical step.”
While the majority of voters were in favor (63%), 19% were against legalization and 17.5% remained unsure.
The largest age group supporters of legalizing online casinos was the 45-54 age group, with 68.8% being in favor. However, the age group whose least in favor of legalization remained to be those aged 65 and over – with 51.2% being in favor of legalizing online casinos in Illinois.
The second-largest age group in favor of legalizing iCasinos are those aged 35-44 (64.1%), the third-largest group stood to be those in the 18-34 age bracket with 63.7% of voters supporting legalization.
When it comes to the battle of the sexes, men were found to be significantly more open to the idea of legalization, with 70.5% of men in support. However, in comparison, just 58.3% of women were found to be in support of legalizing online casinos in the State.
Furthermore, a variety of correspondents across different political views were also questioned; with findings revealing that Republican voters were slightly more in favor (65.4%) of legalization compared to Democrat voters (63.3%).
The post Online Casino Legalization in Illinois: Study Finds Two-Thirds of Voters in Favor appeared first on European Gaming Industry News.
-
partnerships3 weeks agoOctoplay accelerates UK and Irish growth with strategic BoyleSports partnership
-
Compliance Updates4 weeks ago
GRAI: Join the Ongoing Public Consultation
-
Latin America3 weeks ago
SOFTSWISS Ignites Brazil with ‘Race Like a Legend’ Experience
-
Press Releases4 weeks ago
Booming Games Unveils Easter Classics: A Charming Springtime Slot Full of Fluffy Fun and Festive Wins
-
Balkans3 weeks ago
Playson tightens grip on Croatian market with landmark Hrvatska Lutrija deal
-
Africa3 weeks ago
INCENTIVE GAMES SIGNS EXCLUSIVE DISTRIBUTION DEAL FOR NORTH AMERICA, EUROPE, SOUTH AFRICA AND UK WITH LIGHT & WONDER
-
Asia2 weeks ago
Jetapult Strengthens AI Expertise: Onboards Industry Leaders, Oz Silahtar and Dr. Arjun Jain
-
Latin America3 weeks ago
SCCG Becomes Sponsor of SFT Combat
