Connect with us

Latest News

Popular Gambling App Exposed Millions of Users in Massive Data Leak

Published

on

Reading Time: 5 minutes

 

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.

The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.

Aside from leaking activity on the app, the breached database also exposed private user information.

With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.

Company Profile

Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.

Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.

Timeline of Discovery and Owner Reaction

Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.

Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.

  • Date discovered: 19th March 2020
  • Date vendors contacted: 23rd March 2020
  • Date of contact with AWS: 31st March 2020
  • Date of Action: Approx. 5th April 2020

Example of Entries in the Database

Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:

  • “enter game”
  • “win”
  • “lose”
  • “update account”
  • “create account”

During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.

In total, this amounted to over 50GB of exposed records in the database every single day.

Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:

  • IP addresses
  • Email addresses
  • Winnings
  • Private messages

This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:

  • USA – 10,000+
  • UK – 2,475+
  • France – 1,650+
  • Israel – 408+
  • Germany – 1,582+
  • Spain – 1,026+
  • Italy – 2,407+
  • Netherlands – 622+
  • Australia – 6,251+
  • Canada – 7,792+
  • Brazil – 3,859+
  • Sweden – 191+
  • Russia – 547+

Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.

As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.

Data Breach Impact

Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.

Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.

One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.

Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.

With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.

With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:

  1. Trick them into providing their credit card details
  2. Trick them into providing additional PII to be used against them in further fraud
  3. Clicking a link that embeds malware, spyware, or ransomware onto their device.

If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.

Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.

Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.

Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.

Impact on Clubillion and it’s Developers

The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.

With fewer players, Clubillion will lose advertising revenue and reduced profits.

As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.

Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.

Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.

Advice from the Experts

Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:

  1. Securing their servers.
  2. Implementing proper access rules.
  3. Never leaving a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.

For Clubillion Users

If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.

Our team was able to access this database because it was completely unsecured and unencrypted. 

Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.

These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.

The purpose of this web mapping project is to help make the internet safer for all users.

 

Source

Powered by WPeMatico

Continue Reading
Advertisement

content strategy

DuelBits says UFC creator campaign delivers 122m verified video views

Published

on

duelbits-says-ufc-creator-campaign-delivers-122m-verified-video-views

DuelBits has published results from its JUSTIN2026 marketing campaign, saying the UFC-focused activation generated more than 122 million verified video views and contributed to one of the company’s strongest MMA betting events “in recent years.”

The crypto sportsbook and casino operator said the campaign launched ahead of UFC event Freedom 250 at the White House and centred on former UFC lightweight champion Justin Gaethje. DuelBits framed the partnership as an early bet on Gaethje, before broader commercial interest.

According to the company, the campaign set a KPI to exceed 100 million impressions across owned, paid and partnered media, and ultimately delivered more than 122 million verified clip views via a network of more than 140 creators. The asset mix included a hero film, six short-form cutdowns, behind-the-scenes content and still imagery, distributed via DuelBits’ social channels, MMA publishers, creator partnerships and clipping pages.

DuelBits said the hero content was also integrated into Gaethje’s “Art of Violence” YouTube series. The operator added that the activation drove promotional code engagement and helped convert attention into sportsbook activity.

Jasper Hoekert, Chief Marketing Officer at Duelbits, said: “We wanted to support Justin before everyone else recognised the opportunity. Instead of following the hype once he has already achieved greatness, we wanted to back a champion before anybody else did.

“The campaign wasn’t measured purely on views. Of course, surpassing 122 million verified views and exceeding our 100 million KPI was a huge achievement, but the real success was seeing that attention convert into one of our strongest UFC betting nights in recent years.

“It also reinforced something that’s key to DuelBits as a brand, which is that we don’t do small campaigns. Whether it’s the production quality, creator network, or distribution strategy, we want every activation to show what’s possible when sportsbook marketing is treated like premium entertainment.”

The post DuelBits says UFC creator campaign delivers 122m verified video views appeared first on EE Gaming | Global iGaming & Tech Intelligence Hub.

Continue Reading

iGaming

Slotegrator now provides native app experience for iGaming platforms with PWA function

Published

on

slotegrator-now-provides-native-app-experience-for-igaming-platforms-with-pwa-function

Slotegrator’s platform solution now offers progressive web app (PWA) functionality, enabling operators to provide installable casino apps with push notifications, flexible branding, and seamless access across changing domains. 

The Casino Builder module in Slotegator’s platform solution has been upgraded with a Progressive Web Application (PWA) feature that allows casinos to deliver an app-like experience without relying on the App Store or Google Play. 

Native apps are powerful tools for building customer loyalty and enhancing engagement. However, iGaming brands face serious obstacles, such as strict marketplace policies, long review processes, geographic restrictions, and the constant threat of app removal. Slotegrator’s PWA functionality eliminates these barriers, allowing players to install a casino app directly from their browser and enjoy many of the same benefits as a native app.

After installation, the PWA opens from the user’s home screen, loads fast, and supports push notification integration that enhances player engagement and retention.

“Mobile is still the leading channel for user acquisition and retention; however, it’s difficult to distribute native apps in iGaming,” says Olga Ivanchik, COO at Slotegrator. “Our new PWA feature gives operators an alternative that will be familiar to their players, while eliminating the complications related to conventional app stores. Operators can launch quickly, retain full control over updates, and ensure a perfect mobile gaming experience for any market.”

Within the next 2 months, operators will also have the ability to determine when the PWA install bar will be visible to the player. For example, displaying the install bar immediately after the first deposit, as part of a broader retention strategy, helps drive long-term player LTV. The operator can also set up frequency of the install offer — daily, weekly, just once, etc. 

Some operators have to consider UX for multiple frontends. Luckily, the installation widgets are highly flexible, helping them drive maximum conversion without sacrificing user experience. Operators can select a top bar or a top banner installation widget, both of which are fully customizable with branded icons, messaging, and backgrounds.

Operators can limit the visibility of their installation campaigns to specific devices — desktop, mobile, Android, or iOS — thanks to special targeting options. Operators can also design acquisition strategies specific to each platform, driving installs only where they offer the best user experience.

When players install the PWA, operators can connect it to push notification services, so they can re-engage them even when the application isn’t actively open. 

Mirror domain compatibility addresses a common operational challenge in restricted markets. If an operator has to change domains due to licensing or regulatory requirements, players who have already installed the PWA will be able to continue using it without reinstallation.

Unlike native applications, PWAs don’t require App Store or Google Play approval, effectively eliminating possible delays and the risk of removal from the market. Instead, operators can deploy updates instantly to every user.

The new PWA functionality is now available in Slotegrator’s Casino Builder module, alongside other tools for improving mobile acquisition, engagement, and player retention.

ABOUT THE COMPANY

Since 2012, Slotegrator has been one of the iGaming industry’s leading software and business solution providers for online casino and sportsbook operators.

The company’s main focus is software development and support for online casino platforms, as well as the integration of game content and payment systems.

The company works with licensed game developers and offers a vast portfolio of casino content: slots, live casino games, poker, virtual sports, table games, lotteries, casual games, and data feeds for betting.

Slotegrator also provides consulting services in gambling license acquisition and business incorporation.

The post Slotegrator now provides native app experience for iGaming platforms with PWA function appeared first on EE Gaming | Global iGaming & Tech Intelligence Hub.

Continue Reading

iGaming

Slotegrator now provides native app experience for iGaming platforms with PWA function

Published

on

slotegrator-now-provides-native-app-experience-for-igaming-platforms-with-pwa-function

Slotegrator’s platform solution now offers progressive web app (PWA) functionality, enabling operators to provide installable casino apps with push notifications, flexible branding, and seamless access across changing domains. 

The Casino Builder module in Slotegator’s platform solution has been upgraded with a Progressive Web Application (PWA) feature that allows casinos to deliver an app-like experience without relying on the App Store or Google Play. 

Native apps are powerful tools for building customer loyalty and enhancing engagement. However, iGaming brands face serious obstacles, such as strict marketplace policies, long review processes, geographic restrictions, and the constant threat of app removal. Slotegrator’s PWA functionality eliminates these barriers, allowing players to install a casino app directly from their browser and enjoy many of the same benefits as a native app.

After installation, the PWA opens from the user’s home screen, loads fast, and supports push notification integration that enhances player engagement and retention.

“Mobile is still the leading channel for user acquisition and retention; however, it’s difficult to distribute native apps in iGaming,” says Olga Ivanchik, COO at Slotegrator. “Our new PWA feature gives operators an alternative that will be familiar to their players, while eliminating the complications related to conventional app stores. Operators can launch quickly, retain full control over updates, and ensure a perfect mobile gaming experience for any market.”

Within the next 2 months, operators will also have the ability to determine when the PWA install bar will be visible to the player. For example, displaying the install bar immediately after the first deposit, as part of a broader retention strategy, helps drive long-term player LTV. The operator can also set up frequency of the install offer — daily, weekly, just once, etc. 

Some operators have to consider UX for multiple frontends. Luckily, the installation widgets are highly flexible, helping them drive maximum conversion without sacrificing user experience. Operators can select a top bar or a top banner installation widget, both of which are fully customizable with branded icons, messaging, and backgrounds.

Operators can limit the visibility of their installation campaigns to specific devices — desktop, mobile, Android, or iOS — thanks to special targeting options. Operators can also design acquisition strategies specific to each platform, driving installs only where they offer the best user experience.

When players install the PWA, operators can connect it to push notification services, so they can re-engage them even when the application isn’t actively open. 

Mirror domain compatibility addresses a common operational challenge in restricted markets. If an operator has to change domains due to licensing or regulatory requirements, players who have already installed the PWA will be able to continue using it without reinstallation.

Unlike native applications, PWAs don’t require App Store or Google Play approval, effectively eliminating possible delays and the risk of removal from the market. Instead, operators can deploy updates instantly to every user.

The new PWA functionality is now available in Slotegrator’s Casino Builder module, alongside other tools for improving mobile acquisition, engagement, and player retention.

ABOUT THE COMPANY

Since 2012, Slotegrator has been one of the iGaming industry’s leading software and business solution providers for online casino and sportsbook operators.

The company’s main focus is software development and support for online casino platforms, as well as the integration of game content and payment systems.

The company works with licensed game developers and offers a vast portfolio of casino content: slots, live casino games, poker, virtual sports, table games, lotteries, casual games, and data feeds for betting.

Slotegrator also provides consulting services in gambling license acquisition and business incorporation.

The post Slotegrator now provides native app experience for iGaming platforms with PWA function appeared first on Americas iGaming & Sports Betting News.

Continue Reading

Trending

Get it on Google Play

Fresh slot games releases by the top brands of the industry. We provide you with the latest news straight from the entertainment industries.

The platform also hosts industry-relevant webinars, and provides detailed reports, making it a one-stop resource for anyone seeking information about operators, suppliers, regulators, and professional services in the European gaming market. The portal's primary goal is to keep its extensive reader base updated on the latest happenings, trends, and developments within the gaming and gambling sector, with an emphasis on the European market while also covering pertinent global news. It's an indispensable resource for gaming professionals, operators, and enthusiasts alike.

Contact us: [email protected]

Editorial / PR Submissions: [email protected]

Copyright © 2015 - 2024 - Recent Slot Releases is part of HIPTHER Agency. Registered in Romania under Proshirt SRL, Company number: 2134306, EU VAT ID: RO21343605. Office address: Blvd. 1 Decembrie 1918 nr.5, Targu Mures, Romania