Latest News
Popular Gambling App Exposed Millions of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.
The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.
Aside from leaking activity on the app, the breached database also exposed private user information.
With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.
Company Profile
Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.
Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.
Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.
- Date discovered: 19th March 2020
- Date vendors contacted: 23rd March 2020
- Date of contact with AWS: 31st March 2020
- Date of Action: Approx. 5th April 2020
Example of Entries in the Database
Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:
- “enter game”
- “win”
- “lose”
- “update account”
- “create account”
During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.
In total, this amounted to over 50GB of exposed records in the database every single day.
Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:
- IP addresses
- Email addresses
- Winnings
- Private messages
This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:
- USA – 10,000+
- UK – 2,475+
- France – 1,650+
- Israel – 408+
- Germany – 1,582+
- Spain – 1,026+
- Italy – 2,407+
- Netherlands – 622+
- Australia – 6,251+
- Canada – 7,792+
- Brazil – 3,859+
- Sweden – 191+
- Russia – 547+
Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.
As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.
Data Breach Impact
Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.
Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.
One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.
Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.
With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.
With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:
- Trick them into providing their credit card details
- Trick them into providing additional PII to be used against them in further fraud
- Clicking a link that embeds malware, spyware, or ransomware onto their device.
If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.
Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.
Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.
Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.
Impact on Clubillion and it’s Developers
The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.
With fewer players, Clubillion will lose advertising revenue and reduced profits.
As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.
Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.
Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.
Advice from the Experts
Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Securing their servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
For Clubillion Users
If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.
Our team was able to access this database because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
Powered by WPeMatico
The Plaza Hotel & Casino will celebrate the start of every weekend this summer with a live fireworks show Friday nights at 9:15 p.m., beginning May 24 for Memorial Day weekend through Aug. 30 for Labor Day weekend.
Inspired by the fireworks shows at Disneyland, the Plaza’s Welcome to the Weekend Summer Friday Fireworks will light up the sky above downtown Las Vegas and be part of a festive summer block party atmosphere at the property’s Carousel Bar and rooftop pool deck.
“The Plaza is known for its great fireworks on New Year’s Eve and July 4th, but who says fireworks are only for those holidays?” said Jonathan Jossel, CEO of the Plaza Hotel & Casino. “This summer, we wanted to celebrate and give a gift to everyone downtown by sharing the excitement and fun of our fireworks shows with them every Friday night.”
“Las Vegas is the world’s destination because of all the spectacular attractions that are available here,” City of Las Vegas Mayor Carolyn Goodman said. “The Plaza is adding a new weekly fireworks extravaganza this summer, and everyone is invited to visit downtown Las Vegas and enjoy the show!”
Derek Stevens, CEO and Owner of Circa Resort & Casino said “The weekly fireworks show will amp up Fremont Street’s high-energy atmosphere to a new level. It’s a terrific addition for the entire neighborhood, providing another exciting reason for visitors to come downtown. Huge thanks to Jonathan and the Plaza team for bringing this idea to life. We’ll definitely be enjoying the show every week from Circa’s rooftop lounge, Legacy Club.”
The fireworks shot from the Plaza’s towers will be visible to the thousands of tourists and locals in downtown Las Vegas as well as for miles beyond. Plaza hotel guests will be able to enjoy the fireworks from an exclusive viewing party on its rooftop pool deck where the fireworks will be “ignited” by a special guest pushing a detonator button on an oversized TNT box.
To attract even more people to stay downtown, the Plaza introduced the only all-inclusive hotel room package starting at $125 per person per night. The package includes bottomless drinks, breakfast and dinner, a free bingo session, waived resort fees, and more. Rooms must be booked online by June 30 for a stay June 1 through July 1.
The Friday night rooftop pool party for hotel guests will feature the Frozen Firecracker, a special red, white, and blue cocktail made with strawberry daiquiri, pina colada, and blue lemonade spiked with Don Q Rum. At Carousel Bar the summer party vibe continues every Friday night with a DJ and the specialty cocktail Watermelon Agua Fresca made with Mi Campo tequila, Jägermeister, rose aperitivo, watermelon juice, chamoy, and aloe leaves as a garnish.
“Downtown Las Vegas is already a vibrant, unique, and exciting destination. Our Summer Friday Fireworks paired with our all-inclusive room package and great summertime block party atmosphere at Carousel Bar and the rooftop pool deck will be even more reasons to come downtown this summer,” added Jossel.
The Plaza’s fireworks will be dependent on weather conditions and are subject to change or cancellation.
Here are this weeks latest slots releases compiled by European Gaming
Habanero, is introducing the Reel Rewards feature in its new 6×3 reel slot Golden Taj Mahal. Paying homage to Indian culture, the game sees tigers, candles, precious gemstones, the prince and princess as well as the magic lamp Wild fill the grid as the slot’s symbols. At the top of the board, there are six empty spots which can be filled by the Reel Rewards mechanic on any spin, awarding a prize ranging from 2x, 3x or 5x multipliers to a Wild, which transforms all symbols below it.
After releasing the frenzy of a slot game that was Brick Snake 2000, the award-winning slot provider is now set to release Tombstone No Mercy an upgraded refresh of its 2019 hit slot, Tombstone. The 2024 refresh stays true to the original game and introduces Nolimit Bonus Buys and Nolimit Booster into the mix. With the introduction of Nolimit Bonus Buys, players can buy right into the bonus rounds; Justice Spins, Gunslinger
Games Global exclusive studio PearFiction Studios has unveiled its latest release, Cerberus Gold, incorporating three engaging LockNWin bonuses that can be combined for great win potential. This mythological title boasts an exciting triple collection mechanic that sees each collection pot protected by a head of the fearsome guardian of the underworld, Cerberus, who precariously sits above the reel set.
4ThePlayer in collaboration with Yggdrasil is unveiling its new release, 4K Ultra Gold MoneyWays, through the YGG Masters platform. This game evolves 4ThePlayer’s popular MoneyWays mechanic as seen in the top-performing 4 Fantastic series where cash on the reels is won by forming ways wins without the need for additional symbols or features. In 4K Ultra Gold, every cash symbol is boosted when it lands on the reels, creating additional excitement and anticipation.
Push Gaming has released the second in its series of DJ games, DJ Cat, which brings a range of new features to amp up engagement. Following the success of DJ Fox, this new follow-up retains the easy-to-understand, win-what-you-see gameplay, adding in larger win multipliers. Lining up CD symbols helps players to build big prizes while VIP icons grant access to spin the decks and feed the Multiplier Meter. Arrow symbols crank the volume and unlock more reels using the iconic Push-Up feature.
Inspired Entertainment is thrilled to announce its latest slot game, Spin 2 Riches™, now available the UK B3/LBO market. Offering players an unparalleled gaming experience filled with mystery symbols and Fortune Spins. Spin 2 Riches invites players to embark on a thrilling adventure where every spin brings the promise of untold riches.
PG Soft, a world-class digital mobile games company, is on target again with its latest fun-filled game release, Piñata Wins. Set against a vibrant fiesta backdrop, Piñata Wins is a five-reel and three-row title offering players a colourful gaming experience with plenty of features with an opportunity to make big returns from multipliers up to x100. The reels are brought to life with symbols that celebrate Mexican culture including tacos, maracas, skulls, sombreros and chillies.
Endorphina, has announced the release of its latest slot game, Moon Tiger, on April 17th. Featuring 5 reels, 3 rows, 25 fixed paylines, and cool bonuses, the slot will soon join Endorphina’s portfolio of over 150 games. Inspired by Chinese mythology, this slot embodies the legendary White Tiger, a creature born from a rare occurrence in the heavens.
Blueprint Gaming is inviting players to live like royalty and reign over Phrygia in its latest scatter-pay release, the Greek mythology-themed Midas King of Gold. Players attempt to turn every touch into gold in this 6×5 scatter pays title, with the King himself appearing in symbols on the game’s richly coloured board alongside royal pillars and ancient artifacts.
Playson, the fast-growing digital entertainment supplier, has combined the striking themes of its most successful games in its latest title Energy Joker: Hold and Win. With coins, electricity and a grinning joker, this fast-paced release has lightning running through its reels. The blue Collect feature strikes the cells and gathers all values, including the Mini, Minor and Major jackpots and Bonus symbols.
Spinomenal has released its new hit, Queen of the Amazon. Set amongst the lush rainforest, this 5×4 slot welcomes players on an adventure where treasure awaits intrepid explorers. A majestic Amazon headdress, tiger, gorilla, and snake, make up the Medium symbols on the reels. At the heart of the story stands the queen herself, representing the Wild symbol.
Embark on a thrilling journey across continents in 80 Day Escapade, the dramatic new slot from Boldplay that offers multiple features for endless excitement and rewards. With its 5×3 reels and 243 ways to win, players will enjoy a world of adventure and fortune but the real excitement begins with the set of exciting bonus features.
The post Week 16/2024 slot games releases appeared first on European Gaming Industry News.
Evoplay, the award-winning game development studio, has leveraged its position across Europe by taking its portfolio live with Light & Wonder’s leading aggregation platform.
Through this latest launch, over 100 of the provider’s dynamic titles will be made available on Light & Wonder’s global operator network including its Penalty Shoot-out instant game as well as top-performing slots The Greatest Catch Bonus Buy and Hot Triple Sevens.
The integration will see Evoplay boost its presence across a plethora of territories in Europe, including MGA-regulated markets, Italy, Portugal, the Balkans and the Baltics, where Light & Wonder’s platform is a top choice for tier-one operators.
Evoplay’s latest agreement underscores its commitment to becoming a leading supplier across Europe and follows significant commercial expansion in several key markets.
Ihor Zarechnyi, CBDO at Evoplay, said: “Evoplay’s latest landmark deal serves as a testament to the power of our dynamic portfolio. As we continue to excel across markets worldwide, we are delighted that Light & Wonder recognised the quality of our games and took them live on its platform.
“Light & Wonder has a vast market reach, which allows us to greatly expand our footing in Europe. Additionally, once we obtain the Canadian licence, we look forward to introducing our innovative content to an even wider audience of players.”
James Bustin, Commercial Director at Light & Wonder, added: “Thanks to its commitment to differentiation, Evoplay’s offering has proven to captivate players across Europe and we anticipate its games will perform just as well with our operator network.
“Forging new content agreements with suppliers such as Evoplay allows us to continue delivering fresh and exciting experiences to the market whilst elevating studios to an even bigger reach.”
The post Evoplay strikes distribution agreement with Light & Wonder appeared first on European Gaming Industry News.
-
Central Europe5 days agoNolimit City Announces Partnership with win2day
-
Compliance Updates5 days ago
Romania Bans Gambling Venues in Small Towns and Villages
-
Latest News5 days ago
NetBet Casino Partners with Nolimit City
-
Compliance Updates4 days ago
DGA: Three Orders and One Reprimand Issued to Mr. Green Limited for Breach of the Anti-Money Laundering Act
-
Asia4 days ago
China’s CBA League Extends Global Broadcast and Integrity Partnership with Sportradar
-
BIG Brazil4 days ago
NeoGames partners with BIG Brazil for its Caesars Brazil brand ahead of market opening
-
eSports4 days ago
eSports in the CIS region , Q&A w/ Viktor Block, Senior Sales Manager/PandaScore
-
Compliance Updates5 days ago
Sightline Selects GeoComply for Identity and Geolocation Compliance Services
