Clubillion Social Gambling App User Data Exposed in Unsecured Database

  • Clubillion ranks as the #1 “social slots” app on both iOS and Android
  • A database belonging to Clubillion was left unsecured on AWS
  • The database contained every user action and personally identifiable information
  • There is no evidence of criminal use, but the data could be used in phishing scams
Green "shield lock" on top of green computer text and images
A team at vpnMentor found an unsecured database owned by popular social gambling app Clubillion containing 200 million user records per day. [Image: Shutterstock.com]

200 million records per day

One of the world’s most popular social gambling mobile apps left a database unsecured and unencrypted, allowing customers’ personal data to be accessible to anyone who knew where to look. According to a Tuesday report from vpnMentor, the social casino app Clubillion exposed approximately 200 million user records per day simply because of lax security.

The vpnMentor research team initially discovered the problem on March 19, finding the database hosted on Amazon Web Services (AWS) during the course of working on a web mapping project. It contacted Clubillion’s developers on March 23 and AWS on March 31. The leak was closed on April 5.

The vpnMentor team said that it was diligent in verifying that everything it found was accurate so that Clubillion could not deny the database leak’s existence or brush it off as inconsequential. Hence, the four-day delay from discovery to contact.

Clubillion is ranked as the top “social slots” casino app in both marketplaces.

Clubillion is a free-to-play social casino app, available for both iOS and Android. It is highly rated on both platforms – 4.6 stars on the Google Play store and 4.8 stars on the Apple App Store – and has been downloaded millions of times. Released in 2019, Clubillion is ranked as the top “social slots” casino app in both marketplaces.

Personally identifiable information included

According to vpnMentor, the database contained “technical logs” for Clubmillion users. It tracked every action a user made on the social gambling app. Records logged included things like “win”, “lose”, “enter game”, and “update account”.

The database was active and live, not an archive; new entries continued to be added as the team was investigating. They estimated that it recorded an average of 200 million records per day – 50GB worth of data.

the database also included IP addresses, e-mail addresses, winnings, and private messages

Things like “win” or “lose” are fairly harmless, but the database also included IP addresses, e-mail addresses, winnings, and private messages – all things that could personally identify a player.

The United States led the daily average user count on the database, with over 10,000 users affected per day, but every country where the Clubillion app can be downloaded had hundreds or thousands of users’ actions records on a daily basis.

Data could be used by scammers

Even if real names and postal addresses were not in the database (we assume they were not, as they were not mentioned), vpnMentor stressed in its report that a hacker could easily use the available information to scam customers. Enough information was in the database to allow a hacker to set up phishing schemes to try to get a person’s credit card information, additional personal details, or trick them into clicking a link that installs spyware or malware.

If malware invades a smartphone, it could then potentially access other apps, send texts, make phone calls, or steal contact information.

vpnMentor said that studies have found that gambling apps are “especially prone to attacks and hacking” and often lack transparency. In one study, 14% of the 23,000 investigated were of “moderate risk” to users. 52 contained verified malicious software.

There is no indication that criminals did find the Clubillion dataset, as vpnMentor only stumbled upon it in the course of its work, but the threat is possible.

Leave a Reply

Your email address will not be published. Required fields are marked *