Latest News
Popular Gambling App Exposed Millions of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.
The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.
Aside from leaking activity on the app, the breached database also exposed private user information.
With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.
Company Profile
Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.
Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.
Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.
- Date discovered: 19th March 2020
- Date vendors contacted: 23rd March 2020
- Date of contact with AWS: 31st March 2020
- Date of Action: Approx. 5th April 2020
Example of Entries in the Database
Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:
- “enter game”
- “win”
- “lose”
- “update account”
- “create account”
During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.
In total, this amounted to over 50GB of exposed records in the database every single day.
Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:
- IP addresses
- Email addresses
- Winnings
- Private messages
This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:
- USA – 10,000+
- UK – 2,475+
- France – 1,650+
- Israel – 408+
- Germany – 1,582+
- Spain – 1,026+
- Italy – 2,407+
- Netherlands – 622+
- Australia – 6,251+
- Canada – 7,792+
- Brazil – 3,859+
- Sweden – 191+
- Russia – 547+
Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.
As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.
Data Breach Impact
Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.
Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.
One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.
Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.
With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.
With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:
- Trick them into providing their credit card details
- Trick them into providing additional PII to be used against them in further fraud
- Clicking a link that embeds malware, spyware, or ransomware onto their device.
If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.
Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.
Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.
Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.
Impact on Clubillion and it’s Developers
The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.
With fewer players, Clubillion will lose advertising revenue and reduced profits.
As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.
Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.
Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.
Advice from the Experts
Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Securing their servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
For Clubillion Users
If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.
Our team was able to access this database because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
Latest News
ECA and AGEM applaud creation of Association Assembly at ICE Barcelona
The news that January’s ICE Barcelona will include a major new feature dedicated to global gaming’s most influential trade associations has been welcomed by organisations in Europe and abroad.
Making full use of the additional space at the Gran Via Fira de Barcelona, the first ICE Association Assembly has been created to enable trade bodies to promote their values and create new opportunities for the gaming community across every sector and geography, including both the Brussels-based European Casino Association (ECA) and the Association of Gaming Equipment Manufacturers (AGEM), the global trade association for gaming equipment suppliers with its primary headquarters in Las Vegas.
Erwin Van Lambaart, Chair of the ECA confirmed: “Our members are already planning their week in Barcelona and they will be at this historic edition of ICE in great numbers. ICE is a pivotal event for the global gaming community and having a show floor feature which will enable us to engage directly with all sectors is a unique opportunity.
“Traditionally, our association’s involvement at ICE and its Conference program has primarily centred around networking and product development orientation—connecting with our members, regulators, suppliers, and fellow trade bodies. However, ICE 2025 marks a significant milestone. For the first time, the ECA will have the chance to fully interface with the global industry supply chain in its entirety. We are looking forward to this unique opportunity to articulate our vision for the future to a diverse and comprehensive audience, where innovation, responsibility and significant partnerships for guest and customer centricity will have centre stage.”
Daron Dorsey, CEO of AGEM added: “We represent the interests of our gaming suppliers whose well-known brands are global in reach, so to be given the opportunity to explain our agenda and engage with what is a truly international audience of association colleagues on the ICE show floor is invaluable.”
January’s editions of ICE and iGB Affiliate will occupy 120,000sqm of space compared to the 100,00sqm at ICE 2024. In a major endorsement of the opportunities offered by the relocation to Barcelona 72% of the 25 biggest exhibitors will have an increased stand presence at ICE 2025.
The post ECA and AGEM applaud creation of Association Assembly at ICE Barcelona appeared first on European Gaming Industry News.
Aviatrix
Aviatrix expands into Venezuela with FacilitoBet
Aviatrix, the innovative crash game that is quickly growing in popularity across Latin America and elsewhere, has added FacilitoBet to its portfolio of operator partners.
The deal sees FacilitoBet integrate Aviatrix into its proprietary GEO VES platform, making the game available to its players across Venezuela.
This is a major move by Aviatrix’s into the Venezuelan market, following numerous deals elsewhere in Latin America over the past 12 months.
Gabriela Novello, Head of Business Development LATAM at Aviatrix, said: “We want to bring Aviatrix to the most respected brands across Latin America, and FacilitoBet absolutely meets those criteria. By integrating us into their own platform, we’re able to work directly with the FacilitoBet team to bring a truly world-class experience to players across Venezuela. This is another important step in the Aviatrix journey.”
Henry Sanchez, Director of FacilitoBet, said: “Crash games have become a true phenomenon over the last couple of years, and we love Aviatrix because it brings something unique to the genre. The game is engaging, and their team is extremely helpful when it comes to onboarding to our own GEO VES platform. We are sure Aviatrix will be a big success among our players.”
Aviatrix is quickly becoming Latin America’s favourite crash game, following integrations with NGX, Salsa Technology, Vibra Gaming, Cactus Gaming, RedCap, Virtualsoft, Casa de Apostas, Portugabet and many more.
Latest News
Atlaslive and Alea Partner to Revolutionize Casino Offerings with Data-Driven Player Insights
Atlaslive, a leading B2B software provider in the global iGaming industry, has announced an exciting partnership with Alea, a data-driven casino game aggregator. Together, the two companies will deliver highly customized, data-focused gaming experiences designed to boost player engagement and drive operator success.
Atlaslive’s multi-functional platform empowers sports betting and casino operators with a customizable, scalable solution. Partners have the freedom to tailor the platform to their brand style and market preferences, whether they’re focused on a regional niche or a global audience.
With over 15,000 games in Atlaslive’s casino library, which includes slots, live casino games, table games, virtual games, lotteries, and more, operators can offer a diverse selection to match any player demographic. This vast collection will now be complemented by Alea’s aggregation, creating an unmatched selection of casino content.
Lidiia Vakulenko, COO of Atlaslive, commented on the collaboration: “At Atlaslive, our goal is to provide operators with not only a powerful platform but also the tools and content they need to stand out in a competitive market. Our partnership with Alea enhances our already robust casino offering with even more game diversity, while adding sophisticated data insights that help our partners design player experiences tailored to their audience. This partnership is a game-changer for both companies and our partners.”
In addition to its extensive game portfolio, Atlaslive’s platform provides operators with advanced tools to create custom segments and automated marketing triggers. This allows operators to design personalized campaigns and offers based on player behavior, boosting engagement, retention, and ultimately, revenue.
Jordi Sendra, CEO of Alea, also commented on the collaboration: “We are thrilled to partner with Atlaslive, a company that shares our vision of using data and technology to drive innovation in iGaming. Together, we can offer operators not just a vast range of top-tier games, but the deep player insights they need to refine their strategies and maximize engagement. We believe this partnership will open up new possibilities for both companies and the operators we serve globally.”
By bringing together Atlaslive’s dynamic platform and Alea’s data-driven approach, this partnership is set to transform the way casinos operate, providing powerful tools that will help them grow and thrive in the competitive iGaming landscape.
The post Atlaslive and Alea Partner to Revolutionize Casino Offerings with Data-Driven Player Insights appeared first on European Gaming Industry News.
-
gaming2 years ago
ODIN by 4Players: Immersive, state-of-the-art in-game audio launches into the next generation of gaming
-
EEG iGaming Directory8 years ago
iSoftBet continues to grow with new release Forest Mania
-
News7 years ago
Softbroke collaborates with Asia Live Tech for the expansion of the service line in the igaming market
-
News6 years ago
Super Bowl LIII: NFL Fans Can Bet on the #1 Sportsbook Review Site Betting-Super-Bowl.com, Providing Free Unbiased and Trusted News, Picks and Predictions
-
iGaming Industry7 years ago
Rick Meitzler appointed to the Indian Gaming Magazine Advisory Board for 2018
-
News6 years ago
REVEALED: Top eSports players set to earn $3.2 million in 2019
-
iGaming Industry7 years ago
French Senator raises Loot Boxes to France’s Gambling Regulator
-
News7 years ago
Exclusive Interview with Miklos Handa (Founder of the email marketing solutions, “MailMike.net”), speaker at Vienna International Gaming Expo 2018