Connect with us

Latest News

Popular Gambling App Exposed Millions of Users in Massive Data Leak

Published

6 years ago

on

Reading Time: 5 minutes

 

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.

The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.

Aside from leaking activity on the app, the breached database also exposed private user information.

With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.

Company Profile

Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.

Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.

Timeline of Discovery and Owner Reaction

Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.

Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.

  • Date discovered: 19th March 2020
  • Date vendors contacted: 23rd March 2020
  • Date of contact with AWS: 31st March 2020
  • Date of Action: Approx. 5th April 2020

Example of Entries in the Database

Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:

  • “enter game”
  • “win”
  • “lose”
  • “update account”
  • “create account”

During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.

In total, this amounted to over 50GB of exposed records in the database every single day.

Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:

  • IP addresses
  • Email addresses
  • Winnings
  • Private messages

This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:

  • USA – 10,000+
  • UK – 2,475+
  • France – 1,650+
  • Israel – 408+
  • Germany – 1,582+
  • Spain – 1,026+
  • Italy – 2,407+
  • Netherlands – 622+
  • Australia – 6,251+
  • Canada – 7,792+
  • Brazil – 3,859+
  • Sweden – 191+
  • Russia – 547+

Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.

As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.

Data Breach Impact

Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.

Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.

One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.

Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.

With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.

With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:

  1. Trick them into providing their credit card details
  2. Trick them into providing additional PII to be used against them in further fraud
  3. Clicking a link that embeds malware, spyware, or ransomware onto their device.

If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.

Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.

Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.

Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.

Impact on Clubillion and it’s Developers

The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.

With fewer players, Clubillion will lose advertising revenue and reduced profits.

As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.

Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.

Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.

Advice from the Experts

Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:

  1. Securing their servers.
  2. Implementing proper access rules.
  3. Never leaving a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.

For Clubillion Users

If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.

Our team was able to access this database because it was completely unsecured and unencrypted. 

Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.

These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.

The purpose of this web mapping project is to help make the internet safer for all users.

 

Source

Powered by WPeMatico

Related Topics:
Continue Reading
Advertisement

CJEU

Malta faces new dawn as EU courts gather strength

Published

2 days ago

on

April 24, 2026

By

malta-faces-new-dawn-as-eu-courts-gather-strength

With Bill 55 on increasingly shaky ground amid a transitional era for online gambling, what does the future hold for Malta’s point-of-supply industry?

This week has seen the EU heap yet more pressure on Bill 55, a defensive measure introduced by the Maltese government to hold back a tidal wave of player refund lawsuits that could cost the industry hundreds of millions of euros.

Players in Austria and Germany have been able to successfully argue in court that they should be repaid all money lost to operators that offered gambling in their countries without a local licence. The cases stand to erase years of grey market earnings at many operators.

Bill 55, which in June 2023 became an official amendment to the Malta Gaming Act under the title Article 56A, allows judges to reject court rulings from other EU nations if they threaten the economic security of the island’s gambling industry.

It has served Maltese operators well since it was enacted, effectively blocking lawyers from passporting claims from Austria, Germany and elsewhere to the location where operators are legally headquartered, in order to force them to pay out.

This has triggered an international legal wrestling match, now being fought via a series of cases at the Court of Justice of the European Union (CJEU), the EU’s highest judicial authority.

So far, the judgements and opinions issued have not made comfortable reading for the Maltese industry or its regulatory officials.

Earlier this month, the court appeared to settle a longtime debate on which the entire premise of Malta as an offshore hub is founded. Judges said that the freedom to provide services within the EU does not allow for operators to ignore local prohibitions on certain types of gambling.

That was followed this week by an Advocate General (AG) advising judges that if they were to consider the legality of Bill 55, it should be struck down.

It also reaffirmed the court’s dim view of gambling as a cross-border service.

As the opinion put it: “Under the current state of EU law, Member States are under no obligation to recognise gambling licences issued by other Member States. Accordingly, a Maltese gaming licence is, in principle, valid only in Malta.”

This opinion is only advisory, and is unlikely to amount to anything in this particular case (C-683/24) because the AG also recommended that the case as a whole should be ruled inadmissible.

But this is just one in a handful of similar issues being considered by the CJEU and the more time that passes, the greater the pressure appears to be on Malta and Bill 55.

The EU is also taking a tandem approach: The European Commission, the EU’s executive arm, has itself opened an investigation into Malta and the legality of Article 56A and has indicated through its own statements and submissions to the CJEU that it considers the provision to be against EU law.

New tactics needed?

All of which leads to several difficult questions for Malta and the many gambling companies based there.

The first is a defensive issue: With Bill 55 on the ropes, how will the nation prevent the many operators who call its islands home from being stuck with a huge refund charge?

Work is already underway to mount a new defense. The tactic uses the same inspiration as Article 56A, which argues that allowing the foreign court judgments that demand large payments from operators would seriously damage the Maltese economy and thereby upset its “public policy”.

The EU principle, also known as “ordre public”, allows for member states to make legal exceptions in order to protect their society.

In a pair of new cases addressing transferred player refund claims from Austria, Maltese lawyers have argued, without reference to Bill 55, that granting the payment orders would upset the nation’s public order.

These two cases are a clear attempt to establish that, even without any specific Gaming Act amendments, the principle of ordre public protects Maltese gambling firms from having to pay up.

The problem is, the CJEU may have seen this coming.

“The fact that the enforcement of certain judgments may entail serious economic consequences for a national operator, an industry or even the Member State addressed does not justify recourse to the ‘public policy’ clause,” reads the recent AG opinion.

Although lawyers in Malta insist that the AG’s comments should be taken only to refer to Bill 55.

Meanwhile, lawyers fighting to recover refunds believe that cases like these, which have already been appealed, will themselves wind up in the CJEU and at least buy more time for Malta before payouts need to be made.

A new kind of industry hub?

Perhaps the more fundamental question is what Malta offers as a gambling hub over the next decade.

It’s been apparent for some time that the value of a Maltese licence is degrading, through no fault of local authorities.

As European nations gradually switched on their own licensing models, operators have needed to collect local approvals.

Even where nations have clung firmly to monopolies, like in Norway, authorities have also become more effective in enforcing against offshore operators who offer into their territories.

The clear trend of the CJEU also indicates that arguments based on the freedom to provide services are practically finished.

In face of this reality, regulators and business leaders in Malta are looking further afield. Maltese law firms have appeared in locations as far afield as the UAE and Taiwan in recent years, as they look to advertise the nation’s status as a centre of iGaming excellence to emerging online gambling markets.

Leaning into the density of online gambling expertise is also an increasingly important strategy for those looking to attract investment to Malta.

The reason that the industry flocked to Malta in the first place may no longer be relevant, but it’s still the case that two decades later the nation boasts a greater concentration of industry talent than in any other European nation.

There’s also been an increased focus on suppliers, which typically have lower local compliance overheads and more ability to run their businesses remotely from the territories where their content is used.

Although this sector is increasingly subject to local licensing, as well as new compliance burdens designed by regulators looking to drive a wedge between on- and offshore online gambling markets.

Change is inevitable

Malta has demonstrated its ability to adapt and survive, but there’s little denying that the nation’s gambling industry has never been more under siege than it is now.

After decades of growth and success, new ideas are needed to steer the sector into a new phase.

The success with which it emerges from the Bill 55 era will have a dramatic impact on Europe’s online gambling sector and beyond.

The post Malta faces new dawn as EU courts gather strength appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.

Continue Reading

av advertising

BetVictor rolls out new brand campaign with biggest AV spend to date

Published

3 days ago

on

April 24, 2026

By

betvictor-rolls-out-new-brand-campaign-with-biggest-av-spend-to-date

BVGroup’s flagship brand BetVictor has launched a new brand campaign, “For All Your Favourite Things”, backed by what the company said is its largest AV investment to date.

The campaign, created by Barn Door Studios, uses a rewrite of “My Favourite Things” from The Sound of Music over visuals of sporting events. BetVictor said the creative focuses on “the uncomplicated thrill of sport and betting”.

BetVictor is timing the launch around this weekend’s Premier League schedule, with spots running alongside Arsenal vs Newcastle on Saturday evening and Chelsea vs Leeds on Sunday afternoon.

Media planning is led by Bountiful Cow. The plan includes a new partnership with Sky, spanning live sport integrations, on-demand, YouTube channels and targeted digital placements via Sky Advance. BetVictor also outlined a data-led SVOD and BVOD strategy across ITVX, Channel 4, Prime Video and Netflix, plus digital and social.

Richard Walters, Director of Brand and Creative at BetVictor, said:

“‘For All Your Favourite Things’ captures what BetVictor stands for today – a premium, straightforward experience that enhances the thrill of sport.

When done right, we believe that gambling is a simple pleasure; one that we love connecting our customers to. We wanted to celebrate the moments that matter most to sports fans.”

The post BetVictor rolls out new brand campaign with biggest AV spend to date appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.

Continue Reading

Africa

QTech Games wins Leader in Online Casino at SBEA+ Eventus Awards 2026

Published

3 days ago

on

April 24, 2026

By

qtech-games-wins-leader-in-online-casino-at-sbea+-eventus-awards-2026

QTech Games has won the Leader in Online Casino award at the Annual Sports Betting East Africa (SBEA+) 2026 Summit in Nairobi, Kenya.

The company said it beat other shortlisted suppliers including SA Gaming, BetConstruct, and DST Gaming. The award is described by the event as recognising the “top all-round online casino platform for innovation, user engagement, and sustained growth” over the past year.

The SBEA+ Eventus Awards focus on the East African igaming and sports betting sector and were presented at a gala ceremony at the Argyle Grand Hotel. QTech Games said the judging period covered 2025/26 and that its aggregation platform performance was ranked highest by the panel.

QTech Games CEO Philip Doftvik said: “We’re thrilled to have walked off with another notable award for the best overall online-casino-platform provision in East Africa. Being shortlisted in such good company was already a result, but victory provides the real validation, particularly after running a great campaign at recent Eventus events in Africa. We’ve been promoting QTech Hybrid, our breakthrough retail solution, to great effect and it’s been fantastic to see that going live with a handful of top-tier clients on this continent has led to such overwhelmingly positive feedback and immediate success cases in the realm of genuine innovation.

“This win is testimony to our diligent team at QTech Games, and to the constantly growing group of innovative suppliers that our platform represents. It’s a truly collaborative effort. We remain committed to rolling out high-quality content that drives revenue for our worldwide partners across Africa and beyond. After all, in today’s marketplace, only premium games of the highest standard will separate you from the crowd, so we were delighted to see the panel acknowledge how our premier platform is delivering across Africa’s eclectic ecosystem. We’ve made our name as the pre-eminent aggregator in these evolving margin markets, delivering localised games that speak to a host of player proclivities. This award win will spur us on to new horizons.”

The post QTech Games wins Leader in Online Casino at SBEA+ Eventus Awards 2026 appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.

Continue Reading

Trending

Get it on Google Play

Fresh slot games releases by the top brands of the industry. We provide you with the latest news straight from the entertainment industries.

The platform also hosts industry-relevant webinars, and provides detailed reports, making it a one-stop resource for anyone seeking information about operators, suppliers, regulators, and professional services in the European gaming market. The portal's primary goal is to keep its extensive reader base updated on the latest happenings, trends, and developments within the gaming and gambling sector, with an emphasis on the European market while also covering pertinent global news. It's an indispensable resource for gaming professionals, operators, and enthusiasts alike.

Contact us: [email protected]

Editorial / PR Submissions: [email protected]

Copyright © 2015 - 2024 - Recent Slot Releases is part of HIPTHER Agency. Registered in Romania under Proshirt SRL, Company number: 2134306, EU VAT ID: RO21343605. Office address: Blvd. 1 Decembrie 1918 nr.5, Targu Mures, Romania