Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Powered by WPeMatico
Online casino engagement is breaking down faster than operators anticipated, according to new research by CasinoRank. The analysis tracked player behaviour across 847 slot, crash and live dealer titles over 18 months and shows that while players are logging into casinos more frequently, their willingness to stay and engage is declining. Session frequency rose 23% year over year, while median session duration fell 18%, pointing to a shift towards shorter, faster interactions rather than sustained play.
The research draws on aggregated session data from 40 operators across Europe, Latin America and Asia between Q2 2024 and December 2025. Across markets, a consistent pattern emerged: platforms that introduced additional layers between app open and first gameplay experienced higher early-session abandonment, even when traffic increased. Personalisation layers, lobby restructuring, promotional overlays and navigation changes that delayed the first meaningful interaction were repeatedly linked to players exiting before placing a bet.
Key patterns:
• Players opening casino apps more often but exiting earlier
• Higher abandonment when friction appears before first gameplay
• Steeper retention declines as response times reach double-digit seconds
• A growing share of session losses occurring before gameplay begins.
The findings suggest the window to earn engagement has collapsed to seconds. Mobile-first behaviour has reduced tolerance for slow loading, unclear navigation or delayed gameplay. Retention declines steadily as response times increase, with the sharpest drop once delays extend into double-digit seconds.
Game performance data reflects the same shift. Titles built around immediately understandable mechanics consistently maintain top-ranking visibility longer than feature-heavy games with layered bonus structures or complex progression systems. As engagement windows shorten, complexity is increasingly perceived as friction rather than innovation.
Dylan Thomas, credibility lead at CasinoRank, said the findings point to a structural change rather than a temporary fluctuation. “Engagement is not falling. It is fracturing. Players are returning more often, but committing less time per visit,” Thomas said.
“Platforms now have seconds, not minutes, to earn the first meaningful action.”
The post CasinoRank Data Reveals an Attention Crisis in Online Casino Gaming appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.
MGM Resorts International has reached a significant milestone in its renewable energy strategy, now powering up to 100% of its daytime electricity needs on the Las Vegas Strip with solar energy. The achievement was made possible after the Company began receiving 115 MW of solar energy and 400 megawatt-hours (MWh) of battery storage in December of 2025 from the recently completed Escape Solar and Storage Project, located in Lincoln County, Nevada.
By combining power from the newly activated Escape Solar and Storage Project with the Company’s 100-megawatt (MW) Mega Solar Array, MGM Resorts has more than doubled its access to renewable energy. In addition, the battery system from Escape Solar allows MGM Resorts to store solar energy generated during peak production hours and use it during evenings and other lower-production periods.
“With this new project coming online, we are accelerating progress toward our goal of using 100% renewable electricity domestically by 2030. Together with our Mega Solar Array, the new Escape Solar and Storage Project reflects our focus on scalable, impactful clean-energy solutions. It also demonstrates that our industry can operate more sustainably while delivering long-term cost stability, strengthening our business and supporting a more resilient energy future,” said Bill Hornbuckle, CEO and President of MGM Resorts.
MGM resorts announced a 25-year power purchase agreement with Escape Solar LLC in September of 2024 to amplify the Company’s renewable energy capabilities and extend production to cover up to 100% of its Las Vegas properties’ total daytime needs.
As an operator of large-scale resorts, MGM Resorts remains focused on expanding renewable energy use to lower long-term energy costs and mitigate exposure to energy price volatility. Since 2016, the Company has significantly reduced carbon emissions through investments in renewable energy projects, including:
• 323,000-panel Mega Solar Array providing 100 MW to MGM Resorts locations in Las Vegas
• 26,000 solar panels atop the Mandalay Bay Convention Center providing 8.3 MW to that property
• 100-kW rooftop solar array to help power T-Mobile Arena
• 3456 solar panels atop the parking garage at MGM Springfield in Massachusetts.
The post MGM Resorts Powers Up to 100% of Daytime Las Vegas Strip Electricity with Solar appeared first on Americas iGaming & Sports Betting News.
DragoBet has launched its online casino and sportsbook as a service designed for use across multiple markets. The platform adjusts language, currency, and payment settings by region, while keeping casino play and sports betting available through a single account.
Players complete one registration and can use the platform on desktop and mobile devices, with the same account structure and balance maintained across all access points.
Casino and Sportsbook Offering
Drago Bet launches with a casino catalogue exceeding 10,000 titles, covering a broad range of play styles. The selection includes slot games, table formats, live dealer tables, jackpots, crash titles and other feature-based releases. Games are supplied by more than 100 established software providers, combining well-known titles with newer releases within the same library.
DragoBet sportsbook is built into the same environment as the casino and covers a mix of international competitions and locally followed events. Football, basketball, tennis and cricket make up the main focus, while a range of other sports is also included. Betting is available both ahead of kick-off and during live matches, with prices updating continuously as games unfold.
Account Structure and Payments
A single account and wallet connect both casino and sportsbook activity. A single account and wallet connect casino and sportsbook play, with one DragoBet login used to access all products under the same balance.
DragoBet casino supports a range of commonly used payment options, depending on market and currency. These typically include bank transfers, debit and credit cards, alternative card solutions, digital wallets such as Google Pay, Apple Pay, Revolut and N26, as well as cryptocurrency payments. The exact methods available are displayed within the platform.
Deposits are processed online, while withdrawals are handled following account verification in line with standard internal procedures.
Security and Compliance
The platform operates under an established offshore gaming framework. Standard operational controls are applied, including encrypted data transmission and transaction monitoring.
Know Your Customer (KYC) and Anti-Money Laundering (AML) procedures form part of the withdrawal process. These measures are applied to support account security and payment integrity.
Bonuses and Player Programs
The casino offers a structured DragoBet bonus system for new and returning players. The welcome package is delivered across multiple initial deposits, with defined wagering conditions. Additional promotions, reload offers and cashback campaigns are available on an ongoing basis.
A loyalty system, Dragon Throne Club, is integrated into the platform. The program is structured across multiple levels and provides cashback, rakeback and account-based rewards tied to continued play.
The post DragoBet Launches Multi-Regional Casino and Sportsbook Platform appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.
-
AI5 days agoPrimero Games Uses XGENIA for Their First AI-Generated Slot Game
-
Baltic Tech Week5 days ago
HIPTHER Baltics Announces Riga Event and Strategic Partnership with LexLegas
-
Balkans5 days ago
Kiril Kirilov takes on new leadership role at CT Interactive
-
ALGS 2026 Championship5 days ago
S8UL Esports secures historic top five finish at ALGS 2026 Championship; bags INR 1 crore in prize money
-
Compliance Updates5 days ago
SEON Launches Identity Verification Built on Real-Time Fraud Intelligence
-
College Sport Prediction Markets5 days ago
NCAA Urges CFTC to Suspend College Sport Prediction Markets
-
EMEA ESPORTS4 days ago
MOVEMBER TEAMS UP WITH RIOT GAMES EMEA ESPORTS
-
Latest News5 days ago
Optimove Insight Analysis of NFL 2025-2026 Planned v. Actual NFL Wagering Intentions Through the Wild Card Round
