Connect with us

Latest News

Popular Gambling App Exposed Millions of Users in Massive Data Leak

Published

5 years ago

on

Reading Time: 5 minutes

 

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.

The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.

Aside from leaking activity on the app, the breached database also exposed private user information.

With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.

Company Profile

Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.

Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.

Timeline of Discovery and Owner Reaction

Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.

Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.

  • Date discovered: 19th March 2020
  • Date vendors contacted: 23rd March 2020
  • Date of contact with AWS: 31st March 2020
  • Date of Action: Approx. 5th April 2020

Example of Entries in the Database

Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:

  • “enter game”
  • “win”
  • “lose”
  • “update account”
  • “create account”

During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.

In total, this amounted to over 50GB of exposed records in the database every single day.

Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:

  • IP addresses
  • Email addresses
  • Winnings
  • Private messages

This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:

  • USA – 10,000+
  • UK – 2,475+
  • France – 1,650+
  • Israel – 408+
  • Germany – 1,582+
  • Spain – 1,026+
  • Italy – 2,407+
  • Netherlands – 622+
  • Australia – 6,251+
  • Canada – 7,792+
  • Brazil – 3,859+
  • Sweden – 191+
  • Russia – 547+

Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.

As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.

Data Breach Impact

Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.

Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.

One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.

Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.

With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.

With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:

  1. Trick them into providing their credit card details
  2. Trick them into providing additional PII to be used against them in further fraud
  3. Clicking a link that embeds malware, spyware, or ransomware onto their device.

If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.

Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.

Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.

Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.

Impact on Clubillion and it’s Developers

The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.

With fewer players, Clubillion will lose advertising revenue and reduced profits.

As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.

Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.

Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.

Advice from the Experts

Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:

  1. Securing their servers.
  2. Implementing proper access rules.
  3. Never leaving a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.

For Clubillion Users

If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.

Our team was able to access this database because it was completely unsecured and unencrypted. 

Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.

These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.

The purpose of this web mapping project is to help make the internet safer for all users.

 

Source

Related Topics:
Continue Reading
Advertisement

Latest News

ACR POKER INJECTS DAILY DOSE OF THRILL INTO TOURNAMENT SCHEDULE WITH LAUNCH OF DAILY MYSTERY BOUNTY EVENTS

Published

3 hours ago

on

August 4, 2025

By

acr-poker-injects-daily-dose-of-thrill-into-tournament-schedule-with-launch-of-daily-mystery-bounty-events

 

Monster top bounty of 10% of the total prize pool up for grabs starting this weekend

ACR Poker today announced the addition of Daily Mystery Bounty events to its tournament lineup starting this Sunday, August 3rd, delivering unmatched entertainment, thrilling action, and big wins to the tables.

Daily Mystery Bounty tournaments turn traditional bounty formats on their head. Once players are in the money, instead of receiving a fixed reward for eliminating an opponent, players receive a Mystery Bounty Chest revealing a mystery reward, with the top bounty prize being 10% of the total prize pool.

“Mystery Bounties are just pure fun,” said ACR Pro Chris Moneymaker. “You never know what you’re going to get when you knock someone out, it could be some random treasure or a monster bounty that flips your whole tournament. With same-day events, fast action and bounty madness on your daily calendar, it keeps the adrenaline going and makes every hand way more exciting.”

The Daily Mystery Bounty schedule features a range of tourneys and buy-ins, with highlights including the $250K GTD Sunday Funday ($215 buy-in), the $150K GTD Major Mash Up ($66 buy-in), and the $100K GTD Moorman’s Mayhem ($630 buy-in). Starting this Sunday, players can log into the ACR Poker client, open the Tournaments tab, and find the full lineup of Daily Mystery Bounty events in the regular schedule under upcoming events.

And don’t forget, the Mystery Bounty madness continues in ACR Poker’s massive Dual Venom tournaments taking place from Sunday, August 10th to Tuesday, August 26th. Not only are the $2,650 buy-in tourneys offering huge guarantees of $8 million in the NHL event and $2 million in the PLO event, but there are massive bounties on the table for those who knock out their competitors.

In the Venom NLH, eliminating just one opponent could earn a player the top bounty prize of $500,000. While in the Venom PLO, which ties ACR Poker’s biggest Omaha tourney ever, there’s a juicy $200,000 bounty for the taking. And that’s not all, every knockout in both tourneys earns players a minimum bounty of at least $5,000.

For full details about the Daily Mystery Bounty tournaments or to find out more about the Dual Mystery Bounty Venoms, visit ACRPoker.eu.

 

The post ACR POKER INJECTS DAILY DOSE OF THRILL INTO TOURNAMENT SCHEDULE WITH LAUNCH OF DAILY MYSTERY BOUNTY EVENTS appeared first on Gaming and Gambling Industry in the Americas.

Continue Reading

gaming

Take Aim at Mega Wins: ELA Games Unleashes Chaos With New Shooter Game “Shoot Happens”

Published

14 hours ago

on

August 4, 2025

By

take-aim-at-mega-wins:-ela-games-unleashes-chaos-with-new-shooter-game-“shoot-happens”
Reading Time: 2 minutes

 

A chaotic jungle journey with big, bad foes and insane riches.

Welcome to the jungle, where Shoot Happens! Face your opponent, take aim, and fire your way to riches.

ELA Games unveils its boldest title to date, a combination of decision-making and narrative progression where every shot counts.

In Shoot Happens, you’re not just a player. You’re the main character who has to fend off waves of increasingly dangerous (and valuable) monsters. Armed with 3 shots per round, you’ll need precision and calm nerves to take down the reward and add it to your Winpot. Hit the target for riches. Miss… and it’s back to the beginning.

The Choice Is Yours

Each round is in the hands of the player. Do you cash out now? Or keep slashing through the jungle for bigger and better rewards? Decision-making, timing, and a whole load of guts go a long way.

Expect the Unexpected

Random projectile bonuses can appear in any round, boosting your rewards massively. And just when you thought your journey through the treacherous jungle was over, the final boss appears. While the other monsters may have been a piece of cake, he doesn’t stay down. Each time you defeat him, he respawns for juicier and recurring payouts. Keep going as long as you can handle it, and you might walk out as the top dog of the jungle.

Marharyta Yerina, ELA Games’ Managing Director, commented on the game’s release, “With Shoot Happens, the team ventured outside of conventional game formats, and we wanted to give players a super engaging experience where they’re in control. This title is a bold approach to game design in this industry, as we’re empowering players with choice and enriching the gameplay experience with strong visuals, narratives, and plenty of replayability.”

Play how you want. The Winpot is yours

Shoot Happens is the perfect blend of fast-paced action, bold decision-making, and interactive gameplay. Whether you’re a cautious player or a complete daredevil, the game is an enticing experience for all.

How deep into the jungle are you willing to go?

The post Take Aim at Mega Wins: ELA Games Unleashes Chaos With New Shooter Game “Shoot Happens” appeared first on European Gaming Industry News.

Continue Reading

American Gaming Association

AGA Research Reveals Consumers Know Sweepstakes Casinos are Gambling

Published

15 hours ago

on

August 4, 2025

By

aga-research-reveals-consumers-know-sweepstakes-casinos-are-gambling

 

As gaming regulators, state Attorneys General, and state legislatures continue to scrutinize the business practices of online “sweepstakes” casinos, new research shows that consumers overwhelmingly use these platforms to gamble – and that sweepstakes operators are heavily targeting players in key states. By exploiting loopholes in the law, these operations undermine the integrity of the legal, regulated gaming marketplace.

According to Sensor Tower data compiled by the American Gaming Association (AGA), half of all online, real-money casino advertisements seen by consumers in early 2025 promoted offshore “sweepstakes” casinos. The data shows these unregulated operators concentrate their advertising in populous states.

“These operators present themselves like legal, regulated platforms – but they operate outside the law and regulation. There are few if any responsible gaming tools, no regulatory oversight, and no consumer protections. It’s a dangerous subterfuge that puts players at real risk,” said AGA Vice President of Government Relations, Tres York.

Despite operating outside the regulated gaming market, “sweepstakes” casinos are widely perceived by players as gambling platforms, with 68% of users saying their primary reason for playing is to win real money. This confusion is no accident – many of these sites mimic the look, feel, and language of legal operators, blurring the line for consumers and reinforcing the need for clearer enforcement and public education.

Key findings include:

• 90% of sweepstakes casino users consider the activity to be gambling.

• 69% describe sweepstakes casinos as places to wager real money.

• 80% of sweepstakes players spend monthly, and nearly half spend weekly, without the safety nets offered by regulated operators.

The number of monthly sweepstakes casino players is twice as high in states lacking sweepstakes prohibitions.

“Sweepstakes” casinos aggressively market on popular digital platforms throughout the country. Legal, regulated gaming operators, by contrast, advertise responsibly in legal states where consumer protections and regulatory oversight are in place.

“The data is clear. Consumers see right through the ‘sweepstakes’ casino facade and they’re calling it what it is: gambling. We look forward to policymakers continuing to enforce their laws and create clarity through new policy measures to protect their residents,” added York.

The post AGA Research Reveals Consumers Know Sweepstakes Casinos are Gambling appeared first on Gaming and Gambling Industry in the Americas.

Continue Reading

Trending