Latest News
Popular Gambling App Exposed Millions of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.
The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.
Aside from leaking activity on the app, the breached database also exposed private user information.
With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.
Company Profile
Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.
Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.
Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.
- Date discovered: 19th March 2020
- Date vendors contacted: 23rd March 2020
- Date of contact with AWS: 31st March 2020
- Date of Action: Approx. 5th April 2020
Example of Entries in the Database
Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:
- “enter game”
- “win”
- “lose”
- “update account”
- “create account”
During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.
In total, this amounted to over 50GB of exposed records in the database every single day.
Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:
- IP addresses
- Email addresses
- Winnings
- Private messages
This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:
- USA – 10,000+
- UK – 2,475+
- France – 1,650+
- Israel – 408+
- Germany – 1,582+
- Spain – 1,026+
- Italy – 2,407+
- Netherlands – 622+
- Australia – 6,251+
- Canada – 7,792+
- Brazil – 3,859+
- Sweden – 191+
- Russia – 547+
Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.
As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.
Data Breach Impact
Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.
Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.
One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.
Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.
With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.
With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:
- Trick them into providing their credit card details
- Trick them into providing additional PII to be used against them in further fraud
- Clicking a link that embeds malware, spyware, or ransomware onto their device.
If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.
Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.
Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.
Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.
Impact on Clubillion and it’s Developers
The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.
With fewer players, Clubillion will lose advertising revenue and reduced profits.
As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.
Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.
Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.
Advice from the Experts
Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Securing their servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
For Clubillion Users
If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.
Our team was able to access this database because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
Powered by WPeMatico
Latest News
ACR POKER ANNOUNCES SCHEDULE FOR FIRST-EVER BATTLE OF MALTA ONLINE SERIES AWARDING $5 MILLION GTD PRIZE POOL
Buy-ins from $5.50 to $630 in packed 68-event schedule
ACR Poker and Battle of Malta (BOM) have released the full schedule for the first-ever online edition of the beloved European live poker festival, the Battle of Malta Online, guaranteeing $5 million across a 68-event schedule.
Starting this Sunday on ACR Poker, the Battle of Malta Online schedule highlights include the $66 multi-flight event featuring a $500,000 GTD prize pool (flights from July 3rd, Day 2 on July 27th), the $109 tournament with $400,000 GTD (Event 68), and the $630 tournament awarding $600,000 GTD (Event 67). There’s also plenty of lower buy-in events starting at just $5.50, so everyone can join the fun and compete for great prizes.
Players can also compete for one of ten €8,000 packages to the live Battle of Malta festival at Casino Malta from October 28th to November 5th, putting players in the heart of the action at one of poker’s most prestigious events. Five packages are up for grabs each Sunday via the Beast Satellites, which play on July 13th and 20th at 5:05pm ET. All BOM Main Event satellites will also be exclusively on ACR Poker, and players who survive Day 1 online will take their stack to Day 2 live in Malta.
“The full schedule for the Battle of Malta Online is finally here, and it’s everything players could hope for,” said ACR Pro Chris Moneymaker. “There’s a great mix of buy-ins and formats, alongside big guarantees, so there’s something for players of all skills and levels. The series is just around the corner, so now’s the time to plan the grind and get ready to compete for the first-ever Battle of Malta Online titles.”
What’s more, the Battle of Malta Online will feature a $35,000 Leaderboard Contest, where players earn points in any BOM event across two leaderboards: High Buy-in (over $44) with an $8,000 top prize, and Low Buy-in (under $33) with a $4,000 first prize. Plus, the overall winner will score an €8,000 package to Malta this October.
Battle of Malta Online marks the 10-year anniversary of BOM, which has earned its place as one of Europe’s most iconic poker festivals, celebrated for its electric atmosphere, elite-level competition, and unforgettable player experiences. Last October, BOM reached new heights with a prize pool exceeding €4.7 million and participants from over 60 countries. This year’s BOM boasts a €2 million GTD prize pool, a revamped schedule including the €2,200 buy-in ACR High Roller, and plenty of exciting off-the-felt activities.
For further details on the Battle of Malta Online, visit ACRPoker.eu.
The post ACR POKER ANNOUNCES SCHEDULE FOR FIRST-EVER BATTLE OF MALTA ONLINE SERIES AWARDING $5 MILLION GTD PRIZE POOL appeared first on Gaming and Gambling Industry in the Americas.
Zimpler, a leading Swedish company in Pay-by-bank solutions, today announced the launch of Zimpler ID+, a new identity layer designed to simplify compliance and accelerate user conversion within digital payment environments. By embedding biometric identification and regulatory checks directly into the first user interaction, Zimpler ID+ reduces friction in sectors with complex onboarding requirements.
“Zimpler ID+ gives our partners a direct path to compliance and conversion – cutting onboarding time, reducing drop-offs, and removing the need to build identity infrastructure in-house,” said Tobias Gunnesson, Chief Product Officer at Zimpler.
“While most verification flows still rely solely on deposit-based triggers or cookie tracking, we’re the first to enable verification at the point of entry – meeting compliance head-on and delivering a better user experience from the start.”
Purpose-built for highly regulated digital environments
Zimpler ID+ serves industries where compliance is critical and abandonment rates are costly, such as iGaming and financial services. It ensures users are verified from the start, without requiring deposits or post-registration identity checks.
Key features include:
- Quick onboarding: Verification and collection of KYC data takes place at the first point of contact, not only at the point of payment
- Seamless return user experience: Returning users can identify with biometric technology and are recognized with the help of cookies
- Works even without cookies: If cookies are unavailable, the user can easily identify themselves using a passkey
- Built-in compliance: Regulatory assurance at every step of the customer journey
By functioning as a unified identity layer from sign-up through repeat visits, Zimpler ID+ helps businesses minimize onboarding churn and maximize regulatory confidence.
Solving identification friction at scale
The launch of Zimpler ID+ comes as businesses across Europe face rising pressure to improve digital onboarding while maintaining regulatory standards. National ID systems remain foundational – but they weren’t built to optimize every business touchpoint.
Zimpler ID+ complements these systems by offering operators a plug-in layer of biometric identification and gathering of KYC information tailored to business needs. It removes the need for deposit triggers, repeated logins, or re-verification after a device change.
“With Zimpler ID+, we’re introducing a flexible approach that gives businesses more control over identity flows – without compromising security or relying solely on external systems” said Gunnesson.
Product availability
Zimpler ID+ is now available as a value-added service to select partners in Finland, with more markets to be added in the future.
By embedding advanced onboarding capabilities directly into its existing infrastructure, Zimpler expects ID+ to strengthen customer retention and enhance platform value across regulated sectors for years to come.
The post Zimpler introduces ID+: A next-gen identification layer for digital payments appeared first on European Gaming Industry News.
Welcome to our weekly roundup of American gambling news again! Here, we are going through the weekly highlights of the American gambling industry which include the latest news and new partnerships. Read on and get updated.
Latest News
The Alcohol and Gaming Commission of Ontario has issued monetary penalties totaling $350,000 against Great Canadian Casino Resort Toronto for multiple violations of provincial gaming standards. The penalties follow an impromptu after-party that was permitted to take place in the pre-dawn hours directly on the casino’s gaming floor. On September 27, 2024, an electronic dance music event attended by thousands of people was hosted in the theatre adjacent to the casino at Great Canadian Casino Resort Toronto. The event was marked by widespread intoxication, disorderly behaviour and numerous criminal and medical incidents – both inside and outside the venue – including alleged assaults, drug overdoses and acts of public indecency. Although paid duty officers were present, additional police and emergency services were required to manage the situation.
International Game Technology PLC, doing business as Brightstar Lottery, announced that Michelle Carney, Brightstar’s Vice President of Global Lottery Marketing, will be inducted into the Lottery Industry Hall of Fame as a member of the Class of 2025. The induction ceremony will take place this September at an industry event in Ontario, Canada hosted by the Public Gaming Research Institute (PGRI) in conjunction with the North American Association of State and Provincial Lotteries (NASPL). In her current role, Carney is responsible for the development of marketing and communications strategies that support growth for Brightstar’s Global Lottery business, including lottery product marketing, trade shows and events, thought leadership communications and B2C marketing campaign materials to support customer launches of new game content.
Partnerships
International Game Technology PLC announced that its subsidiary, IGT Canada Solutions ULC (IGT), signed an eight-year agreement with Atlantic Lottery to supply its IntelligenEVO video lottery central system technology across Atlantic Canada. The agreement includes the option for multiple extensions and positions the Atlantic Lottery to become the first World Lottery Association (WLA)-affiliated lottery operator to deploy IGT’s next-generation central management system in a game-to-system (G2S) distributed market. With peak system security, network availability and responsible gaming functionalities, IntelligenEVO is a reliable, scalable solution that can meet the needs of today and in the future. The solution will accelerate time-to-market and enables the Atlantic Lottery to benefit from the system’s suite of player-focused functionality. The technology’s G2S and open API design optimises data collection and delivery and will enable Atlantic Lottery to customise their programme for evolving player needs.
EDGE Boost by EDGE Markets, a financial platform for smart bettors and gamblers, has partnered with World Series of Poker, the premier series of worldwide poker tournaments. The EDGE Boost debit card is now the preferred payment method for WSOP, offering ease of payment, safety and several exclusive on-site perks for tournament players. In past tournaments, WSOP players were limited to $10,000 per transaction and had to complete a lengthy approval process, often resulting in frequent cash deposits. Now, those using the EDGE Boost card through PayPal checkout can bypass traditional credit card verification. They can also make entries up to $250,000, which eliminates the need to carry large sums of cash at the event and increases security measures.
The post Gaming Americas Weekly Roundup – June 30-July 6 appeared first on European Gaming Industry News.
-
Baltics6 days agoLithuania Implements New Restrictions on Gambling Advertising
-
Compliance Updates7 days ago
MGM Yonkers Submits Commercial Casino License Application in New York
-
Central Europe6 days ago
FC Bayern and Betano Sign Partnership Agreement
-
Baltics7 days ago
HIPTHER Community Voices: Interview with the CEO and co-founder of Nordcurrent Victoria Trofimova
-
Australia5 days ago
Konami Promotes Tom Jingoli to President and COO
-
Africa6 days ago
SOFTSWISS Report: South Africa’s Gambling Revenue to Hit €3.63 Billion by 2025
-
Central Europe7 days ago
GGL Publishes its 2024 Activity Report
-
Chile7 days ago
Zenith partners with Paraguay’s Jugamax to expand ONEAPI Game Aggregation across LatAm
