Wed, Jan 23, 12:09pm by Staff Writer
An online casino group has leaked information on more than 108 million bets, including details about customers’ personal information, deposits and withdrawals according to Bleeping Computer.
An unsecured ElasticSearch database was discovered exposing the details, which also included the bettors’ address, email address and partial credit card numbers.
ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps’ data indexing and search capabilities.
Such servers are usually installed on internal networks and are not meant to be left exposed online, as they usually handle a company’s most sensitive information.
The man who discovered the data, security research Justin Paine accessed the information online without a password.
Despite being just one server, the ElasticSearch portal handled an array of information that was aggregated from multiple web domains, most likely from an affiliate scheme or a larger company with multiple betting portals.
Some of the domains that Mr Paine spotted included kahunacasino.com, azur-casino.com, easybet.com and viproomcasino.net to name a few.
After analysing the URLs spotted in the server’s data, ZDNet and Paine concluded that all domains were running online casinos where users could bet on classic card and slot games, but also other non-standard betting games.
Some research discovered that some of the domains were owned by companies located in the same building in Limassol, Cyprus. The parent company in question is called Mountberg Limited.
Others were operating under the same eGaming license number issued by the government of Curacao, a small island in the Caribbean, with license number 1668/JAZ.
Online Casino Database Leaks Details of Over 100 Million Bets – An unsecured ElasticSearch database was discovered exposing the details for over 108 million bets at various online casinos. The leaked information contained numerous details including the b… https://t.co/UZsAMnuRZD
— G & R Computers (@GRComputers) January 22, 2019
A Mountberg Limited spokesperson replied to ZDNet’s request for comment with the following statement.
“I would like to start by thanking Justin Paine not only for identifying the issue, but also for attempting to assist us in resolving it.”
“This event is one that should benefit both our company and the iGaming industry as a whole in the future. We work in a dynamic and ever changing technological environment that is progressing at a rapid rate.”
“Cyber Security is a vital element of every online company in this current technological paradigm and we pride ourselves as being at the forefront of technological developments.”
The good news to come from this data breach is that the payment card details indexed in the ElasticSearch server were partially redacted and they were not exposing the user’s full financial details.
The bad news is that anyone who found the database would have known the names, home addresses and phone numbers of players who recently won large sums of money. This could be used to target users as part of scam or extortion schemes.
ZDNet reached out with emails to all online portals whose data Paine identified in the leaky server.
“It’s down finally. Unclear if the customer took it down or if OVH firewalled it off for them,” Paine told ZDNet after he reached out to the cloud provider last week.
Betting companies being embroiled in data breaches is nothing new, with UK giant Paddy Power admitting hackers stole personal details from more than 600,000 customers in a cyber attack in 2010.
The data hacked by a man in Canada included the name, username, postal address, email address, phone number, date of birth and security questions and answers of customers. The company denied that credit or debit card details were compromised according to The Telegraph.
Gibraltr-based BetVictor left a password list for its internal systems on its website for anyone to find in 2018.
The two-page document contained links to back office systems, including usernames and passwords.
Many of the systems were accessible externally – though, none of the credentials were tested to avoid breaking computer hacking laws, ZDNet said.
Slovakia’s parliament passed a new gambling act in December 2018 that will allow foreign operators to take bets in the country. The…
The Australian Capital Territory’s Attorney-General Gordon Ramsay has announced that the number of gaming machines that can be operated in the Territory…
Three people accused of fleecing Sydney’s The Star casino out of $3 million dollars have been acquitted after it was found that…