Millions of Clubillion Casino Gambling App’s Users Suffer Daily Activity and Personal Data Leak

The leading casino gambling application for Android and iOS devices Clubillion has leaked personal data and daily activities data of millions of users.

The enormous data leak, which happened via a misconfigured database of Elasticsearch that could have been accessed by third parties, was found by researchers Ran Locar and Noam Rotem at vpnMentor. The two of them discovered that the AWS-hosted customer database, which was exposed, contained technical logs for millions of the casino gambling application’s users on a global scale.

The technical database built on the search engine was set up to store logs for users’ daily activity from both iOS and Android applications. It was updated with up to 200 million records on a daily basis that were estimated to up to 50GB of space. The logs about the users’ daily activity included information about the players’ account creation, their entries in a game, the history of their winnings and losses, the updates of their accounts. Apart from that, the logs also included Personally Identifiable Information (PII), such as email addresses, IP addresses, private messages and information regarding the customers’ winnings.

According to the two researchers who found the data leak Clubillion currently has a massive number of users on the territory of Europe. They revealed that the casino gambling application has an average of 2,475 daily active users in the UK, 2,407 in Italy, 1,650 users in France, 1,582 in Germany, as well as 1,026 users who are active every day in Spain. The application also has an average of 10,000 daily active customers in the US, more than 7,700 in Canada and 6,251 in Australia. Millions of people in Austria, Romania, Poland, Latvia, India, Vietnam, the Philippines, Indonesia, Thailand, etc. also use Clubillion.

Public Access to the Exposed Database Was Closed around April 5th

The exposed database was found by the above-mentioned security researchers on March 19th, while the public access to the database was thoroughly closed around April 5th, after the two of them reached AWS but not before they failed to get a response from the casino gambling application’s developers, who they contacted on March 23rd. According to reports, the daily activity records and personal information of people from all over the world were exposed to third parties.

The vpnMentor tool explained that gambling and casino applications are often not transparent enough, which could make it hard to find out what steps are actually taken by their developer to protect their customers’ data and prevent cybercriminals from reaching databases such as the one leaked. According to a study that involved 23,000 free gambling applications, 3,200 of those apps posed a moderate risk to their customers; 379 of them had faced certain security weaknesses, while 52 of them contained malicious software.

In case Clubillion had been used by cybercriminals to embed malicious software onto a customer’s mobile device, users’ data from other applications, text messages, calls information, and files stored on the device could have been accessed by the criminals. The firm further noted that the impact of the data leak could be even worse, considering the current situation, where many people across the world are still under lockdown because of the Covid-19 pandemic.

vpnMentor also explained that various phishing scams could take advantage of specific leaked data providing them with access to information such as transaction errors from card payments carried out through the casino gaming app. Hackers could get even more personal and financial information by getting access to users’ emails or tricking customers into installing malicious software on their devices.

According to vpnMentor, the most serious risk for the Clubillion casino gambling app is the loss of players, as such a massive data leak could fend off many players from the application. Apart from that, the firm could also face more scrutiny from both Google Play and Apple App Store, not to mention possible GDPR regulatory action.