[BreachExchange] VIP Games exposes user data through unsecured Elasticsearch server

Thu Jan 28 10:50:20 EST 2021

https://siliconangle.com/2021/01/26/vip-games-exposes-user-data-unsecured-elasticsearch-server/

Casual gaming provider VIP Games has suffered a data breach, exposing
millions of records relating to users of the service.

VIP Games, owned by a game development studio called Casualino JSC,
has 20,000 active daily players and includes popular games such as
Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo and
Yatzy. The Android app for the site has been downloaded more than
100,000 times on Google Play.

Discovered and publicized today security researchers at WizCase, the
30-gigabyte database was found to contain more than 66,000 user
profiles and 23 million records. The exposed data included usernames,
emails, device details, IP addresses, hashed passwords, Facebook IDs,
Twitter IDs, Google IDs, in-game transaction details, bets and details
regarding banned players.

The hashed passwords were also encrypted with the Bcrypt algorithm
using 10 rounds. Although that can take some effort to crack, it can
be done.

The database was exposed to all and sundry on a misconfigured
Elasticsearch server. VIP Games was contacted and warned of the
database being exposed so it could secure it prior to the exposure
being made public.

The researchers warn that the user data could be utilized for a
variety of nefarious purposes including identity theft and fraud, a
password breach, scams, phishing, malware and blackmail. The
suggestion of blackmail stands out: Researchers suggested that the
inclusion of banned user details could be used for extortion or
revenge. Examples include a player who was banned for possible
pedophile behavior being tricked into a physical meeting with
vigilantes or a user banned for exhibitionism could be threatened with
exposure.

“When a breach like this occurs, an unsecured server is almost always
the reason — especially an Elasticsearch server,” Chris DeRamus, vice
president of technology at cybersecurity and compliance solution
provider Rapid7 Inc.’s Cloud Security Practice, told SiliconANGLE.
“The software-defined nature of the cloud leads to frequent changes
and it is important that organizations implement a continuous and
automated cloud security strategy in order to detect and remediate
threats such as misconfigurations and compliance violations in real
time.”

The incident illustrates the importance of automating remediation
processes to prevent unintended gaps in security, DeRamus explained.
“Automated cloud security solutions can grant organizations the
ability to detect misconfigurations and alert the appropriate
personnel to correct the issue, or even trigger automated remediation
in real-time, so that databases and other assets never have the
opportunity to be exposed, even temporarily,” he said.

Ami Luttwak, co-founder and chief technology officer of cloud security
company Wiz Inc., noted that cloud exposure is still the top
cybersecurity risk for many companies.

“It is a much bigger likelihood that a company will find its data
accidentally exposed than that a state threat actor will target them,”
Luttwak said. “Cloud is complex and ever-changing, and it is very easy
to make a mistake. Before you realize you have something exposed or
misconfigured, your data might already be out the door.”