Latest News
Popular Gambling App Exposed Millions of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.
The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.
Aside from leaking activity on the app, the breached database also exposed private user information.
With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.
Company Profile
Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.
Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.
Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.
- Date discovered: 19th March 2020
- Date vendors contacted: 23rd March 2020
- Date of contact with AWS: 31st March 2020
- Date of Action: Approx. 5th April 2020
Example of Entries in the Database
Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:
- “enter game”
- “win”
- “lose”
- “update account”
- “create account”
During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.
In total, this amounted to over 50GB of exposed records in the database every single day.
Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:
- IP addresses
- Email addresses
- Winnings
- Private messages
This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:
- USA – 10,000+
- UK – 2,475+
- France – 1,650+
- Israel – 408+
- Germany – 1,582+
- Spain – 1,026+
- Italy – 2,407+
- Netherlands – 622+
- Australia – 6,251+
- Canada – 7,792+
- Brazil – 3,859+
- Sweden – 191+
- Russia – 547+
Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.
As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.
Data Breach Impact
Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.
Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.
One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.
Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.
With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.
With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:
- Trick them into providing their credit card details
- Trick them into providing additional PII to be used against them in further fraud
- Clicking a link that embeds malware, spyware, or ransomware onto their device.
If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.
Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.
Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.
Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.
Impact on Clubillion and it’s Developers
The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.
With fewer players, Clubillion will lose advertising revenue and reduced profits.
As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.
Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.
Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.
Advice from the Experts
Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Securing their servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
For Clubillion Users
If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.
Our team was able to access this database because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
Powered by WPeMatico
Evoplay, the award-winning game development studio, has released Don Juan Peppers, a fiery new slot that blends bold bonus features with festive flair.
Set in a sun-soaked Mexican town bursting with colour, rhythm and celebration, the game invites players to join the charismatic Don Juan himself for a lively fiesta across 20 fixed paylines.
The action centres around two types of bonus symbols. Landing three Chili Bonus icons on reels two, three and four triggers seven Free Spins. During Free Spins, each appearance of a Chili Bonus symbol awards an Instant Chili Prize corresponding to the value shown above its reel.
Meanwhile, landing six or more Bonus symbols activates the bonus game. In this mode, all Bonus and Chili icons lock in place and reset the spin counter to three. Chilis in this round boost the value of up to four Bonus symbols before transforming and continuing the chase for bigger wins.
The bonus game also gives players a shot at four fixed jackpots: MINI, MEGA, SUPER, and the GRAND prize of 3,000x the bet. For players who want to skip straight to the fiesta, a Bonus Buy feature offers direct access to either the Bonus Game or Free Spins.
Don Juan Peppers is the latest release in Evoplay’s growing portfolio of standout slots, blending engaging gameplay with vibrant storytelling and proven features.
Ivan Kravchuk, CEO at Evoplay, said: “Don Juan Peppers is a celebration of bold design and dynamic mechanics. By blending familiar bonus features with a distinctive aesthetic and rhythmic theme, we’ve created a slot that feels both familiar and fresh.
“It’s a fantastic showcase of our approach to delivering high-performing content with real personality.”
The post Evoplay starts a big fiesta in spicy new title Don Juan Peppers appeared first on European Gaming Industry News.
The Greek casino industry is undergoing a major transformation, with high-profile investments and relocations redefining the market.
While casinos now account for a smaller share of the broader gambling industry, with the total Greek gambling market reaching $31.5 billion in wagers in 2023 and gross gaming revenue of $2.8 billion, the flurry of new licenses, relocations and integrated resort projects is reshaping the sector and attracting international attention.
Following global trends, Greek casinos are evolving into integrated resorts, where gambling is just one part of a broader entertainment and hospitality experience.
These resorts aim to attract high-end tourists, generate consistent visitor flows, boost tax revenue and enhance Greece’s international brand in luxury tourism. The next five years will be critical in establishing Greece as a leading Mediterranean destination for integrated resorts.
Leading the wave is the Hard Rock Hotel & Casino Athens at the former Ellinikon site, a project valued at $1.6 billion. The venture is a partnership between Hard Rock International (51%) and GEK TERNA (49%), a major Greek construction and energy company, set to create one of Europe’s largest integrated resorts.
Standing 646 feet (197 meters) tall with 42 floors, the resort will include a five-star hotel, a conference center, event spaces and a casino built to international standards. Completion is expected within three years, creating three thousand construction jobs and three thousand permanent positions once operational.
Another key development is the relocation of Parnitha Casino to Marousi. The plan, initially proposed thirteen years ago, overcame legal hurdles after the Council of State approved Presidential Decree No. 36 (FEK 79/A/30-3-2023), which permits the transfer and modernisation of the casino into a multifunctional complex.
This Voria complex will occupy 52 acres near Golden Hall—an upscale shopping mall in Marousi—with 27 acres allocated for public spaces and 25 acres housing the casino, a five-star hotel with 150 rooms, a 1400-seat auditorium, dining, entertainment areas and a 636-space underground parking garage.
The $270 million investment is projected to create three thousand construction jobs and three thousand permanent positions, with completion expected three years after the building permit, anticipated in September 2025.
Three other casinos—in Rio, Alexandroupolis and Corfu—are undergoing financial restructuring.
Saint George Participations, linked to the Arfani and Chioni families, secured operational approval from the Hellenic Gaming Commission (EEEP) and plans to acquire licenses and control by purchasing existing loans and shares.
Although legally and financially complex, investors have already committed $13 million, signaling long-term involvement even before taking equity stakes.
The EEEP is also preparing to award a new casino license in Gournes, Heraklion, Crete, independent of the broader redevelopment of the former US base managed by Dimand.
Crete’s strategic location, strong tourism and new infrastructure make it highly attractive. The license is expected to be offered via tender by early 2026, drawing international interest.
The post Greek Casino Industry Undergoes Major Transformation appeared first on European Gaming Industry News.
The Ukrainian Gambling Council (UGC) has called for a united, tech-based plan to tackle the worldwide increase in illegal online betting.
Viktoriya Zakrevskaya, UGC’s Deputy Chair, said the quick growth of digital platforms has led to more unlicensed operators. These operators often use cryptocurrencies and social media to avoid getting caught and to attract users.
Illegal operators now make up a big part of the $618.7 billion global iGaming market expected by the end of 2025. These platforms often register offshore, use anonymous payments and market online, making it harder to enforce laws against them.
Zakrevskaya pointed out that nations across the globe are trying out solutions that mix rules, tech and people’s involvement. Argentina, for example, has put in place tough age-checking systems and stops blacklisted websites on public Wi-Fi networks. This method, she explained, has made illegal sites harder to reach for at-risk groups such as kids.
In Indonesia, where betting is outlawed, officials have started watching money flows to cut off unlawful activity. Just last year, they froze 26,000 bank and e-wallet accounts tied to illegal betting operations, showing how focused money controls can limit unregulated gambling.
The US struggles with a unique problem because of its scattered rules. Unlawful betting websites are growing almost twice as fast as legal ones in the US. Over 80% of users see ads for unlicensed sites. People are now trying to tighten control on digital money and push big tech companies to better manage gambling content.
Ukraine has stepped up its crackdown. The country’s new watchdog PlayCity, which started after KRAIL was shut down, is teaming up with global tech firms like Meta to take down social media accounts that promote illegal casinos. The government has also blocked more than a hundred unlicensed sites thought to be sending money to Russia. Kyiv thinks Moscow uses the underground gambling world to fund its ongoing war.
A crucial element of Ukraine’s long-term plan involves creating a system to monitor bets and tax income in real time with transparency. The Ministry of Digital Transformation is working with tech experts to construct the platform, which should enhance supervision and boost public confidence in the regulated market.
The post UGC Calls for Global Teamwork to Stop Illegal Gambling appeared first on European Gaming Industry News.
-
BMM Innovation Group7 days agoBMM Innovation Group to Spotlight Product Compliance, Cybersecurity, and Training Expertise at CGS Recife in Brazil This Week
-
AGLC6 days ago
Casino ATM Scam in Edmonton Reveals Money Laundering and Drug Links
-
Asia6 days agoCGMC Awards Competency Certificates to 40 Trainees
-
Asia6 days ago
Indian Gaming Industry Expresses Concern About Proposed Online Gaming Bill
-
Africa6 days ago
Tanzania Gaming Board Warns Families About Risks Posed by Betting on PlayStation Games
-
Africa6 days ago
Ghana Gaming Commission Introduces Mandatory Biometric Verification
-
Latest News5 days ago
Mexico’s leading land-based slot machine provider turns up the heat with its latest slot game launching across its 5enturi0n cabinet
-
Asia6 days ago
Indonesia Prepares VPN Laws to Crack Down on Illegal Online Gambling
