Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Powered by WPeMatico
Pavilion Payments, the gaming industry’s leading omnichannel payment solutions provider, has appointed Angelo Palmisano as its Chief Product Officer. In this role, Palmisano will lead Pavilion Payments’ product and innovation strategy, guiding the continued evolution of the company’s platform and overseeing product development and design across its expanding portfolio of solutions for casino operators.
Palmisano brings more than 35 years of experience across the global gaming industry, with deep expertise in casino technology, product development, gaming systems, electronic gaming machines, payments, automation, loyalty technologies, and digital signage.
He founded Paltronics and grew the company into a global gaming technology business with offices across North America, Australia, South Africa, and Asia before the North American division was acquired by Aristocrat Technologies in 2014. Following the acquisition, Palmisano joined Aristocrat as Senior Vice President of Global Strategy and Innovation, where he helped evolve the company’s systems portfolio into a multi-property enterprise platform and supported major deployments with operators including Boyd Gaming, Choctaw Casinos, and the Cordish Companies. Prior to joining Pavilion Payments, he also served as Chief Strategy Officer for Win Systems.
In his new role, Palmisano will lead Pavilion Payments’ product organization, overseeing product development, design, and innovation, while guiding the continued evolution of Pavilion’s platform across payments, compliance, and iGaming initiatives.
“Angelo has been at the forefront of gaming technology innovation for many years, and we’re excited to have him join Pavilion. He brings a unique combination of entrepreneurial vision, product expertise, and deep industry knowledge. As we continue evolving our platform with deeper systems integrations and data insights, Angelo will be pivotal in guiding that journey,” said Diallo Gordon, CEO of Pavilion Payments.
Palmisano said the opportunity to join Pavilion Payments was driven by both the leadership team and the company’s strong product foundation.
“Pavilion has built a strong product foundation and has a real opportunity to capitalize on the technology and business shifts happening across our industry. I’m looking forward to working with the team to continue building solutions that help our customers succeed and support Pavilion’s long-term growth,” said Palmisano.
The post Pavilion Payments Appoints Angelo Palmisano as its Chief Product Officer appeared first on Americas iGaming & Sports Betting News.
LCKY Group has announced the appointment of Alex Manning as Group Chief Technology Officer, marking the first major leadership hire since the company’s strategic rebrand earlier this year.
Previously known as Glitnor Group, the entrepreneurial-led organisation entered a new phase of its development in January when it adopted the name LCKY Group. The rebrand was designed to better reflect the strong portfolio of brands operating under the group while also positioning the business for future expansion.
Alex’s appointment as Group CTO represents a significant step in this next stage of growth. With more than 25 years of experience across the fintech and iGaming sectors, Alex brings deep expertise in scaling businesses and leading complex digital transformations.
Prior to joining LCKY Group, Alex served as CTO of iGaming at Light & Wonder, where he led a major engineering transformation. During his four-year tenure, he transitioned the team to a product-led, cross-functional delivery model, oversaw the development of several first-of-their-kind products, and supported the company’s expansion into new regulated markets.
Richard Brown, Group CEO at LCKY Group, said:
“Everyone at LCKY Group is delighted to welcome Alex at what is a defining moment in the company’s evolution. He brings extensive experience across regulated fintech and iGaming markets, and his proven ability to guide organisations through successful scale-ups and digital transformations makes him an ideal fit for the role of Group CTO.”
Alex Manning, Group CTO at LCKY Group, added:
“I’m excited to join LCKY Group at a time when the business is focused on strengthening its international presence and growing its influence across key regulated markets. My priority will be to build on the strong culture that already exists within the group, creating a high-performance environment where teams can thrive, innovation is encouraged, and each of our brands is given the platform it deserves.”
The post LCKY Group announce Alex Manning as Group CTO appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.
PropellerAds, a top performance advertising platform worldwide, has just published the 2025 Ads Safety Report, which offers an in-depth analysis of ad fraud trends, protective measures for the platform, and guidance for advertisers on compliance.
The report emphasizes that as fraudulent methods grow more advanced, the organization’s multi-tiered security measures are essential in protecting advertisers, traffic providers, and end users.
Advancing Ad Fraud Methods and High-Risk Areas
In 2025, ad fraud advanced considerably, transitioning from basic techniques to more intricate, infrastructure-intensive schemes. Fraudsters exploited cloaking, malware distribution networks, and social engineering tactics aimed at messenger accounts, frequently across various ad formats. PropellerAds enhanced initial moderation and foundational detection to identify high-risk actions before campaigns launched.
Throughout the year, the platform processed 729,794 campaign rejections, mainly driven by content compliance and user safety issues, with adult content and malware alerts representing the largest portions. These actions guaranteed that campaigns were halted prior to delivery, safeguarding advertisers, publishers, and end users, while upholding a consistent and reliable advertising landscape. In comparison to 2024, campaign rejections rose by 35%, indicating enhanced moderation reach and more robust preventive measures.
Markets of high value, such as Turkey and Spanish-speaking areas, saw increased levels of fraudulent behavior. Approximately 80% of identified attacks aimed at users of Windows and Android. Fraud patterns typically integrated technical, behavioral, and content indicators, emphasizing the necessity for ongoing monitoring and thorough infrastructure evaluation.
High-Risk Accounts and Safeguarding Methods
Cloaking continued to be the primary high-risk infraction, making up more than 80% of verified account suspensions. This method consists of displaying varying content to moderation systems and users, masking the actual essence of campaigns. Ransomware, unsuccessful identity verification, and scam schemes also played a role in account suspensions, albeit to a smaller degree. Fraud that relies on heavy infrastructure necessitates multi-tiered enforcement and ongoing monitoring to guarantee platform safety.
In 2025, schemes of fraud grew more advanced. Cloaking methods encompassed multi-tiered traffic management, selective content distribution, and decentralized architecture. Malware distribution has progressed from basic redirects to immediate file downloads or complex interactions. Incidents of Messenger account hijacking rose, featuring phishing sites, counterfeit login forms, and mobile-centric social engineering assaults. Certain campaigns even utilized compromised or left-behind servers and domains, necessitating thorough technical and behavioral analysis for detection.
AI and automation contributed to fraud prevention by analyzing behavioral patterns, identifying high-risk signals, and aiding expert evaluations. Although fraudsters tried to utilize AI for creating counterfeit documents or modifying creative assets, PropellerAds guarantees that all campaigns undergo expert reviews and infrastructure checks prior to traffic delivery, stopping high-risk operations from accessing users.
Advertiser Adherence and Risk Oversight
PropellerAds advises advertisers to adhere closely to platform guidelines, verify that ad content aligns with format and regional specifications, comprehend the entire user experience, and track infrastructure and domain reputation. The use of cloaking or misleading tactics is deemed high-risk and typically leads to permanent account termination.
The PropellerAds team highlights that preventing fraud is an ongoing and developing process that demands technology, expert evaluation, and collaboration across the ecosystem. The organization continues to prioritize improving platform safety, ensuring transparency, and safeguarding all individuals involved in the advertising ecosystem.
The post PropellerAds 2025 Ad Safety Outlook appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.
-
Agilysys Inc6 days agoWinford Resort & Casino Manila Philippines Deploys Agilysys Hospitality Technology to Elevate Operations and Service
-
Inferno Mayhem7 days ago
PG Soft cranks up the volume with electrifying Inferno Mayhem slot
-
Brazil7 days ago
Brazil intensifies debate on betting regulation as Lula criticizes online gambling
-
Celtic Coins7 days ago
Spinomenal expands Hold & Hit 3×3 series with Celtic Coins
-
Africa6 days ago
Booming Games teams up with Agreegain to power continued African growth
-
Brasil7 days ago
Brasil intensifica el debate sobre la regulación de apuestas mientras Lula critica el juego online
-
Canada6 days ago
Wazdan launches Green Brick Labs partnership via Maverick Games to expand Ontario reach
-
Australia5 days ago
Regulating the Game Global Awards: First-Ever Winners Announced
