Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Evoke, one of the world’s leading betting and gaming companies with internationally renowned brands including William Hill, 888 and Mr Green, announced the establishment of a new Technology Committee of the Board effective immediately.
The Committee will be chaired by Independent Non-Executive Director Susan Standiford. Non-executive Directors Limor Ganot and Ori Shaked will also be members of the Committee.
The Committee will provide Board-level oversight of evoke’s major technology investments and initiatives, ensuring alignment with business strategy, risk management and operational effectiveness.
Jon Mendelsohn, Chairman of evoke, said: “In a world where technology is evolving at break-neck speed and in an industry where technology leadership is a core driver of sustainable success, our Technology Committee will play an important role in strengthening the Board’s governance and long-term strategy development. The Committee will focus on providing transparency and insight across our product, technology, data and operational initiatives as well as informing the Board and executive leadership on technology trends with the potential to shape the Group’s long-term competitive advantages.”
The post Evoke Announces the Establishment of a New Technology Committee appeared first on European Gaming Industry News.
Welcome to our weekly roundup of American gambling news again! Here, we are going through the weekly highlights of the American gambling industry which include the latest news and new partnerships. Read on and get updated.
Latest News
Seminole Hard Rock Hotel & Casino Tampa has been named the luckiest casino in the US according to a recent study conducted by Casinos.com. The resort claimed the top spot based on an in-depth analysis of Tripadvisor reviews, measuring the frequency of luck-related keyword mentions. With a 25.49% luck rate, Seminole Hard Rock Tampa topped the list thanks to glowing guest feedback, including frequent mentions of jackpots, hand pays and bonus wins. 50 reviews mentioned the word “jackpot,” and 19 even referenced a “hand pay.” Casinos.com tracked keywords such as lucky, luck, won, winning, success, jackpot, hand pay, winner, bonus, profit to determine which U.S. casinos inspired the most winning moments among visitors.
The Missouri Gaming Commission has announced that it has officially begun accepting applications for sports betting license. The Commission made the announcement following the unanimous approval of a resolution drafted Tuesday that approved the licensing process. The resolution passed after Gov. Mike Kehoe’s office reviewed it. The licensing period opens roughly six months after Missouri voters narrowly approved a constitutional amendment legalising sports betting. The measure passed by less than half a percentage point, with a margin of less than 7500 votes.
Underdog Fantasy has relaunched its draft-style daily fantasy sports (DFS) games in New York, nearly two months after it withdrew all of its DFS competitions from the Empire State. The decision to withdraw all DFS contests from New York in March came after a ruling from the New York State Gaming Commission in which the commission determined Underdog was not in line with the state’s current DFS law. An Underdog Fantasy spokesperson confirmed the company is still working under a temporary license. The New York State Gaming Commission agreed to allow the company to offer its draft DFS games with the temporary license. Most DFS companies in New York operate with a temporary license.
New Partnerships
Pollard Banknote Limited has congratulated the West Virginia Lottery on the successful launch of Royal Court Riches, its first eInstant game from the Pollard Digital Games Studio. Royal Court Riches has already demonstrated strong performance in multiple markets—in its first international launch, it achieved that jurisdiction’s highest tickets sold, total sales and gross gaming revenue within its first 30 days of release. Royal Court Riches is the first in a series of games from the Pollard Digital Games Studio slated to launch in West Virginia this year.
SYNOT Games has announced a new partnership with Caliente, one of Mexico’s top gaming platforms. This collaboration marks an exciting expansion for SYNOT Games, as it brings its acclaimed portfolio of gaming content to the Mexican market. It enhances Caliente’s offerings with an extensive array of high-quality slot games such as Respin Joker, Book of Secrets, Realm of Lions and Forest Maiden, designed to captivate players and boost engagement. Caliente with its strong presence in Latin America, is the perfect partner for SYNOT Games’ expansion into the region. The partnership aims to deliver an exceptional gaming experience, combining SYNOT’s visually rich, innovative games with Caliente’s extensive reach and reputation.
The post Gaming Americas Weekly Roundup – May 19-25 appeared first on European Gaming Industry News.
Industry Awards
Betsson Group Nominated in 14 Categories at the Women in Gaming Diversity Awards 2025
Betsson Group has been nominated in 14 categories at the Women in Gaming Diversity & Employee Wellbeing Awards 2025, hosted by Clever Duck Media. These include five company-wide nominations and nine individual nominations for eight of its employees.
These annual awards celebrate excellence in equality, diversity, inclusion and employee wellbeing across the global gaming industry. Since its launch in 2010, the event has solidified its position as one of the global gaming industry’s most respected diversity accolades.
The categories in which Betsson Group and its employees have been shortlisted include:
Company Category Nominations:
Best Diverse Place to Work
Community Engagement
Company of the Year (Operator)
Diversity & Inclusion
Great Place to Work Award
Individual Category Nominations:
Affiliate Leader – Shakyra Jonsson
Employee of the Year (Operator) – Lisa Mifsud
Excellence in Customer Service – Gabriella Larsson
HR Champion (Operator) – Tamara Klibadze
Innovator – Lena Nordin
Inspiration of the Year (Operator) – Lena Nordin
Positive Role Model of the Year (Operator) – Lara Lombardi
Star of the Future (Operator) – Jessica Carrillo Miranda
Young Leader of the Year (Operator) – Chellyanne Cassar
These nominations reflect the company’s ongoing dedication to creating a workplace where employees feel valued, respected and empowered to succeed. At Betsson Group, diversity, equity and inclusion are more than buzzwords; they are embedded in the company’s culture, values and daily actions. In previous years, Betsson has been recognised at the WiG Diversity Awards for Best Diverse Place to Work (2022 and 2024), Company of the Year (2019 and 2022) and for Diversity & Inclusion (2021). For the individual categories, Betsson employees have previously won Excellence in Customer Service, Star of the Future and Young Leader of the Year.
The post Betsson Group Nominated in 14 Categories at the Women in Gaming Diversity Awards 2025 appeared first on European Gaming Industry News.
-
Latest News4 weeks agoAtlaslive Analysis: European Gambling Market Enters €123.4 Billion Digital-First Era
-
Latest News3 weeks ago
Meet 22Bet Partners at iGB Live London: Tennis, Talks & Wimbledon Dreams
-
Latest News7 days ago
Current Games Activates the Nitro on Neon-Soaked Arcade Combat Racer: Cyber Clutch: Hot Import Nights
-
Latest News7 days ago
Soft2Bet’s brand Don.ro Becomes Main Sponsor of CFR Cluj in Multi-Year Agreement
-
Latest News3 weeks ago
IGT Lottery Becomes Brightstar Lottery
-
Latest News3 weeks ago
Gen.G Opens “GGX”, the Next-Gen Cultural Gaming Space
-
Latest News7 days ago
NODWIN Gaming partners with Esports World Cup Foundation to manage media rights sales across South Asia
-
Latest News3 weeks ago
Precision, Power, Play: Visit PlayAmo Partners at Booth L20 During iGB Live 2025
