Comment: Popular Gambling App Exposed Millions of Users in Massive Data Leak


It has been reported that security researchers have discovered a data breach on casino gambling app Clubillion. The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world. Aside from leaking activity on the app, the breached database also exposed private user information. With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.

Commenting on this, Boris Cipot, senior security engineer at Synopsys, said “Unfortunately, we see all too often devices and databases that are exposed to the internet without proper protection. Sometimes, this is by mistake. Frequently, however, this is due to a misconception that it does not matter, arguing that it only allows access to random data. As we see in the case of the Clubillion breach, this ‘random data’ included Personally Identifiable Information (PII) such as e-mail addresses. There is no doubt that this will likely be utilised to execute further attacks on the players involved.

As this data might be abused in phishing attacks, players should not blindly click on links received through email, nor open attachments. They definitely should not give out any information about themselves such as names, social security numbers or credit card details either. Criminals with this data may contact individuals and attempt to gather more data under the pretence that they have won something, or that they are reinforcing their security details. Also, players should be wary of any emails coming from other gaming platforms as these may also be phishing emails. One rule to remember is that no serious business would ask you for your credit card data or other PII over email. If they do, it is better to call them and clarify what they need and who needs that data rather than to blindly follow directions from the email.”

Michael Barragry, Operations Lead and Security Consultant at Edgescan, added “Gambling apps and their users represent attractive targets for hackers. Within the distribution of users, there will be a subset who are not at all risk-averse and are out to make a quick buck – and may be prime targets for spear phishing attacks and similar. Apps are always harvesting live analytics from their users to further customise their service around latest trends – the fact that this included IP addresses and email addresses made this especially valuable to an attacker looking to customise further, more targeted attacks. Gambling apps should assess which information they actually need as part of their analytics, and keep it to the minimum. It’s not clear how the database was compromised, but DB security best practices should always be followed.”

Warren Poschman, senior solutions architect at comforte AG, concluded “Fraud is easy to commit when a criminal obtains financial and personal account information. Therefore these kind of breaches create a lot of stress on both the issuers’ side and on consumers. It’s crucial to protect sensitive data over the entire data lifecycle. Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward. One very effective way to protect sensitive data is to pseudonymize it through tokenization. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides: for businesses and consumers.”