Latest News
Popular Gambling App Exposed Millions of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.
The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.
Aside from leaking activity on the app, the breached database also exposed private user information.
With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.
Company Profile
Clubillion is a free online casino game available for iOS and Android, offering players 30+ free slot games. While each app is listed under a different developer – Ouroboros on iOS and T7 Games on Android – these are most likely owned by the same company.
Both versions of Clubillion were released in 2019 and became instant hits. Each is now ranked the #1 ‘social slots’ casino app on Google Play and the App Store, with a 4.8 star on both.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was built on Elasticsearch and hosted on Amazon Web Services (AWS), with Clubillion’s name on its apps, and links to assets owned by the company.
Once Clubillion was confirmed as the owner of the database, we reached out to the developers. While awaiting a reply, we also contacted AWS with details of the leak. It was closed a few days later.
- Date discovered: 19th March 2020
- Date vendors contacted: 23rd March 2020
- Date of contact with AWS: 31st March 2020
- Date of Action: Approx. 5th April 2020
Example of Entries in the Database
Clubillion’s exposed database contained technical logs for millions of Clubillion users around the world, on both iOS and Android devices. Every time an individual player took any action on the app, a record was logged. Examples of records include:
- “enter game”
- “win”
- “lose”
- “update account”
- “create account”
During our investigation of the database, new entries continued to appear continuously. We estimated an average of approximately 200 million records per day – and sometimes, considerably more.
In total, this amounted to over 50GB of exposed records in the database every single day.
Within many of these records, were various forms of user Personally Identifiable Information (PII) data, including:
- IP addresses
- Email addresses
- Winnings
- Private messages
This data breach was truly global, with millions of records originating from Clubillion’s daily users all over the world. The following list is just a sample of countries affected, along with the average number of daily users from each country:
- USA – 10,000+
- UK – 2,475+
- France – 1,650+
- Israel – 408+
- Germany – 1,582+
- Spain – 1,026+
- Italy – 2,407+
- Netherlands – 622+
- Australia – 6,251+
- Canada – 7,792+
- Brazil – 3,859+
- Sweden – 191+
- Russia – 547+
Other countries affected included Uzbekistan, India, Poland, Romania, Vietnam, Lebanon, Indonesia, Philippines, Pakistan, Thailand, Austria, Hungry, and Latvia.
As you can see, on a single day, 10,000s of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyberattacks – along with millions more whose records were also contained in the database.
Data Breach Impact
Studies have shown that free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals. They are routinely targeted for theft of private data and embedding malicious software on users’ devices.
Despite their popularity, gambling and casino apps often lack transparency, and it can be impossible to know what steps they’re taking to prevent cybercriminals successfully targeting their users.
One study of 23,000 free gambling apps found that: 3,200 posed a ‘moderate risk’ to users; 379 had known security vulnerabilities; 52 contained malicious software.
Any of these issues could be exploited to target app users in a wide range of frauds and cyberattacks, and Clubillion is no different.
With the exposed user PII and knowledge of their activity on the app, hackers could create elaborate schemes to defraud users. For example, some entries also included transaction errors for attempted card payments on Clubillion.
With the information in these transaction errors, hackers could target users with phishing campaigns, with the following aims:
- Trick them into providing their credit card details
- Trick them into providing additional PII to be used against them in further fraud
- Clicking a link that embeds malware, spyware, or ransomware onto their device.
If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device. They could even access a user’s phone contacts and steal the PII data of their friends and family.
Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.
Clubillion stands to gain many new users, along with regular users playing more frequently. Hackers will be aware of this and looking for opportunities to exploit any vulnerabilities in the data security of such a massively popular app.
Had criminal hackers discovered Clubillion’s database, they could have targeted millions of people around the world, with devastating results.
Impact on Clubillion and it’s Developers
The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.
With fewer players, Clubillion will lose advertising revenue and reduced profits.
As many of Clubillion’s players reside within the EU, the app is under the jurisdiction of GDPR. The rules of GDPR also apply to apps, and Clubillion will need to take specific actions to ensure the regulatory body in charge doesn’t reprimand it.
Finally, Clubillion could also potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.
Each of these outcomes has a different likelihood of happening, but they would all negatively impact Clubillion’s revenue and business.
Advice from the Experts
Clubillion’s developers could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Securing their servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
For Clubillion Users
If you play on Clubillion and are concerned about how this breach might impact you, contact the app’s developers directly to find out what steps it’s taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Clubillion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.
Our team was able to access this database because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial company.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to Clubillion’s developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. Clubillion users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
Latest News
Week 40/2024 slot games releases
Here are this weeks latest slots releases compiled by European Gaming
Amusnet has released 40 Bulky Dice – a classic video slot full of lucky dice symbols with a modern twist, which tempts with lots of entertainment and fantastic prizes. This 5-reel, 40 fixed paylines slot game offers vivid gameplay, epic sound effects and an easy-to-use interface. Watch out for the colourful Joker, which is the Wild symbol and appears on the second, third and fourth reels.
BGaming has teamed up with famous rapper and record producer Snoop Dogg to create an iconic new slot, Snoop Dogg Dollars. The themed game is BGaming’s first branded content in collaboration with a celebrity and was exclusively launched with Roobet on 25th September, before going live across the wider network on 30th October.
Relax Gaming has delivered a knockout blow with its latest release, Feather Fury. Fists are flying in this 3×2 boxing-themed slot, where players can win up to 5,000x their stake thanks to a truly unique mechanic that awards respins following dead spins. Every dead spin that is registered automatically adds a notch to the bar, with 10 dead spins being enough to trigger Feather Fury’s respin feature.
“Reel Rabbit” from Hölle Games is already live, a new entry in the Reel franchise. This 5×3, 25 payline slot continues in the footsteps of furry friends Fox, Tiger and Wolf, and while it might be the most mild-mannered mammal of the bunch, Reel Rabbit still packs a hefty punch!
Step into the vibrant world of Muertos Fortuna, an exciting slot game from Zillion Games, featuring 3D animation and engaging features. Muertos Fortuna, inspired by Día de los Muertos and Halloween, brings vibrant animations and the unique presence of Catrina Muerte, who may appear during gameplay to interact and cheer you on with fun phrases, adding an engaging element to the experience.
Play’n GO invites players to revisit the mystical world of the beyond in Lady of Fortune Remastered, where the future holds untold riches and mysterious revelations. Venture where the veil between our world and the unknown is thin, and fortunes await those who dare to look. This 5×3 video slot revisits the popular title, Lady of Fortune, now with enhanced visuals and enriched gameplay.
Belatra Games has released its latest hot shot, Lucky Bandits. This exhilarating escapade launches players into the lawless lands of the Wild West that are brought to life with stunning visuals, immersive soundscapes, and thrilling gameplay. The game is bursting with engaging features such as Free Games, Hot Mode, and the intense Shot and Dynamite Bonuses.
Intrepid players are being given the chance to venture back in time to a land ruled by the great Pharaohs where they can uncover relics, treasures and big wins in Gold of Egypt, the latest slot from Silverback Gaming. In Gold of Egypt, players find themselves in a hot and arid desert at the entrance to a secret tomb. As the reels spin, ancient symbols land on the reels including a Cat, Snake, Scorpion and Scarab, as well as different hieroglyphics.
They say Rome wasn’t built in a day, but in Swintt’s all-new slot sensation, Hidden Treasures of Rome, players’ fortunes can certainly be built up in seconds thanks to the presence of Free Spins, a rewarding tumble feature and random multipliers that offer a maximum payout of up to 5,000x the stated win.
On October 2nd Endorphina, released its newest slot game, Panda Strike, now available for play in most online casinos. Panda Strike is a 5-reel, 4-row oriental slot with 40 fixed paylines. Set in a small Chinese town, the slot encourages players to master concentration and self-discipline, leading them to face the legendary panda, a master of the martial arts.
Amusnet has released its new online slot game, 10 Vampire Bites. The game has 11 symbols scattered across 5 reels and 10 paylines. The video slot game also showcases a hauntingly beautiful gothic design that immerses players in a world of mystery, while the atmospheric soundtrack further enhances the eerie experience, drawing players deeper into the chilling narrative.
Latest News
How Do Casinos Detect Fake Chips and Cheat Devices?
One of the biggest challenges that brick-and-mortar casinos must deal with to run their business efficiently, is fraud. For as long as gambling establishments have been around, people have been trying to cheat at the games they provide.
So how do casinos keep themselves ahead of the game? There is a tremendous amount of unseen security that happens in a casino establishment, so much so that people may not even notice its sheer volume.
All casinos, be it digital platforms or land-based establishments, deal with money. Any low deposit Czech online casino, an online casino no minimum deposit Philippines platform or a Canadian casino site has security to protect digital payment transactions. And physical casinos have to work hard to stay one step ahead of the game. Here are some of the methods they use to protect themselves.
Fake Chips
Chips are currency in the casino, which makes them a big target for counterfeiters, but making them is no easy process. That’s down to the security measures embedded in real chips, which makes them very hard to replicate.
Making this even tougher for would-be scammers, is the fact that all casinos use different designs for their chips, and the variations between them can be in the form of marking, colours, style and even weight.
This is a very important aspect because if a counterfeiter went through all the effort and expense to make chips for just one casino, there’s a greater chance of them being caught than if they were spreading the chips around at various establishments.
But casinos take a lot of other steps to protect themselves against fake chips.
RFID Technology
At the top end of casino play, it’s common for higher-value chips to have RFID technology built into them. These signals can be detected by the casino’s systems and tracked at any moment. So if a chip turns up at a table or a cashier’s cage and an RFID signal is not received, that’s a problem.
Ultraviolet
Chips also have hidden UV markings on them, making it difficult for them to be replicated. Standard practice for casino workers is to go through the floats that hold the chips and scan them with a UV light. If a chip’s missing a marker, it’s flagged.
The Trained Eye
Casino workers are trained to know their chips, so sometimes a visual inspection can be enough to catch a fraudster if a slight difference in the shade of green on a $25 chip is spotted, for example, or the weight feels a little off in the hand. This is naturally a little more difficult to reveal, but it’s part of the security along with random audits and chip counting on a shift.
Chip Fingerprinting
Chips come from a mould, and this makes forensic fingerprinting of chips possible as well. That means at a microscopic level, the chips are going to have the same flaws as that mould. If a suspect chip doesn’t match the mould as it should, then it’s not going to be a genuine casino product.
Personal Checks
Another rule that casinos follow for protection against fake chips is undergoing checks on players. Wherever a player tries to buy into a game with a high-value chip of at least $500 a security check on the person will be performed. If the player refuses to give their ID or have their photo taken, well that just makes them look extremely suspicious.
Part of money laundering laws also means that players can’t buy in at a certain level (typically $10K) without validating their ID. Casinos also have phenomenal surveillance systems that can track individual high-value chips, so they can account for where they are at any time. Trying to introduce fake high-value chips is, therefore, high-risk stuff.
That’s also part of the reason anyone who attempts this will typically go for lower denomination chips, with the $100 being the most frequently faked.
Cheat Devices
Cheat devices that are taken onto the casino floor to try and manipulate games are another thing that casinos have to deal with. These are electronic devices that can send signals to players at a poker table from spotters or ones that can be inserted into slot machines to manipulate the mechanics.
How do casinos detect these? Metal and radio signal detectors can help scope these out. But again, the “big eye in the sky”, the surveillance systems play a large part in this. It watches everything and tracks everything, and even the slightest suspicion about something will raise a red flag.
There are also consequences for trying to use fake chips, as it can lead to casino bans, criminal charges being pressed against you and prosecution.
Latest News
Blask expands coverage with new European and Asian markets
Blask, the AI-driven market analytics ecosystem, continues its rapid expansion towards the goal of providing high-quality iGaming data for the entire world, with the addition of 10 major new markets.
All Blask users now have access to real-time data, including estimates of GGR, FTDs, Blask Index, and Relative market share by brand, for the new markets, which include the Philippines, the Netherlands, Poland, Serbia, Bulgaria, Malaysia, and North Macedonia.
“As we onboard more users to Blask, we are listening to them closely and adding new markets based on demand,” said Blask CEO and co-founder Max Tesla. “This latest Europe and Asia-focused update provides the most accurate, real-time data available for some of the most important iGaming jurisdictions in the world. Blask is already providing a data-driven edge to users, and we’ll continue to deliver on our roadmap to make it a must-have for anyone seeking a deeper understanding of our industry.”
Blask now offers data from a total of 34 global iGaming jurisdictions. In August, the team rolled out several new Latin American and African markets to meet the demand for accurate data in emerging regions.
As well as new markets, additional functionality is also being added to Blask. This includes a recent update that brings comprehensive customer profiling to the platform.
The company recently announced the appointment of Greg Penkov as Chief Revenue Officer to help bring Blask to new customers.
-
eSports4 days ago
European Gaming talks to Joseph Noone Senior Sales Manager at PandaScore
-
Asia4 days ago
Fun88 and Dale Steyn Team Up for Another Winning Partnership
-
Conferences in Europe4 days ago
Can Fun Be Safe? The Role of Social Responsibility in Slot Game Design
-
Industry News4 days ago
CT Interactive’s Successful Participation at SBC Summit Lisbon 2024
-
Latest News7 days ago
Bacta encouraged by Gambling Minister support for White Paper
-
Industry News4 days ago
Betsson Group Celebrates Major Wins at the SBC Awards 2024 in Lisbon
-
Australia4 days ago
Discover PlayCroco.com Casino: Top Games, Bonuses, & Exceptional Support
-
Gambling in the USA4 days ago
Gaming Americas Weekly Roundup – September 23-29