Online casino group leaks information on 108 million bets, including user details

An online casino group has leaked information on over 108 million bets, including details about customers' personal information, deposits, and withdrawals, ZDNet has learned.

The data leaked from an ElasticSearch server that was left exposed online without a password, Justin Paine, the security researcher who discovered the server, told ZDNet.

ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps' data indexing and search capabilities. Such servers are usually installed on internal networks and are not meant to be left exposed online, as they usually handle a company's most sensitive information.

Last week, Paine came across one such ElasticSearch instance that had been left unsecured online with no authentication to protect its sensitive content. From a first look, it was clear to Paine that the server contained data from an online betting portal.

Despite being one server, the ElasticSearch instance handled a huge swathe of information that was aggregated from multiple web domains, most likely from some sort of affiliate scheme, or a larger company operating multiple betting portals.

After an analysis of the URLs spotted in the server's data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games.

Some of the domains that Paine spotted in the leaky server included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, just to name a few.

After some digging around, some of the domains were owned by the same company, but others were owned by companies located in the same building at an address in Limassol, Cyprus, or were operating under the same eGaming license number issued by the government of Curacao --a small island in the Carribean-- suggesting that they were most likely operated by the same entity.

The user data that leaked from this common ElasticSearch server included a lot of sensitive information, such as real names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information, and a list of played games.

Furthermore, Paine also found roughly 108 million records containing information on current bets, wins, deposits, and withdrawals. Data on deposits and withdrawals also included payment card details.

The good news is that the payment card details indexed in the ElasticSearch server were partially redacted, and they were not exposing the user's full financial details.

The bad news is that anyone who found the database would have known the names, home addresses, and phone numbers of players who recently won large sums of money and could have used this information to target users as part of scams or extortion schemes.

ZDNet reached out with emails to all the online portals whose data Paine identified in the leaky server. At the time of writing, we have not received any response from any of the support teams we contacted last week, but today, the leaky server went offline and is not accessible anymore.

"It's down finally. Unclear if the customer took it down or if OVH firewalled it off for them," Paine told ZDNet, after he, too, reached out to the cloud provider last week.

Seeing that none of the above-mentioned sites have responded to our request for comment, and nor has their mother company, it is unclear for how long the server had been left exposed online, how many users have been impacted exactly, if anyone outside the security researcher accessed the leaky server, and if customers will ever get notified that their personal data was left exposed on the internet in plain view.

UPDATE, January 22: A Mountberg Limited spokesperson has replied to ZDNet's request for comment with the following statement:

I would like to start by thanking Justin Paine not only for identifying the issue, but also for attempting to assist us in resolving it. This discovery of his, enabled us to take prompt action to secure our clients information avoiding any potential data spread. We are also grateful that it was Justin to discover this through his extensive expertise, as opposed to any other parties with less integrity and potential malicious intentions. Through this we were able to act in time and avoid sensitive data to be exposed or leaked further.

This event is one that should benefit both our company and the iGaming industry as a whole in the future. We work in a dynamic and ever changing technological environment that is progressing at a rapid rate. Cyber Security is a vital element of every online company in this current technological paradigm and we pride ourselves as being at the forefront of technological developments. The identification of this issue has allowed our company reassess the nature of our security protocols and procedures and we feel that, in the longer term having this occur will only strengthen our defences against such instances in the future. Furthermore, this should ensure that ourselves and other industry players can learn together and adapt our best practices and principles when it comes to situations with tangible risk. We see every identified, and unidentified, problem is an opportunity to grow.

More data breach coverage:

• Real-time location data for over 11,000 Indian buses left exposed online
• Online stores for governments and multinationals hacked via new security flaw
• Popular WordPress plugin hacked by angry former employee
• Advertising network compromised to deliver credit card stealing code
  
• Hacker behind ' Football Leaks' arrested in Hungary
• Twitter bug revealed private tweets for some Android users for almost five years
• Massive breach leaks 773 million email addresses, 21 million passwords CNET
  
• Marriott reveals data breach affecting 500 million hotel guests TechRepublic