Users of the Largest Global Land-Based Casino’s App Suffer Personal Data Leak

  • The database was viewable without a password if someone knew the IP address
  • A security researcher discovered the leak and got into contact with TechCrunch
  • TechCrunch verified the leak and contacted the developer of WinStar’s app
WinStar casino entrance
TechCrunch has revealed that users of WinStar Casino’s app have potentially had their personal data compromised. [Image: Shutterstock.com]

Publicly accessible data

The WinStar World Casino and Resort in Oklahoma is the self-proclaimed largest land-based casino in the world by square footage. Its My WinStar app allows patrons to keep track of their loyalty rewards, access services at the resort, and view their gambling results. TechCrunch revealed late on Friday that a database containing the personal data of an unknown number of users of this app was leaked.  

did not put password protection on one of its online logging databases

The weak point was reportedly the developer of the app, a Nevada-based startup called Dexiga. The company did not put password protection on one of its online logging databases, which meant that anyone who knew the public IP address was able to access the My WinStar app customer data. TechCrunch contacted Dexiga about the issue and the company quickly took down the database.

Uncovering the leak

Security researcher Anurag Shen discovered the issue without knowing what company’s database it was. He contacted TechCrunch after finding the exposed data that includes email addresses, phone numbers, genders, IP addresses, full names, and residential addresses.

Chickasaw Nation owns WinStar Casino, located near Oklahoma’s border with Texas. The property offers over 8,500 slot games, 100 table games, and a large poker room

TechCrunch verified the issue and found that the data was not encrypted. Certain types of sensitive information like the dates of birth were redacted. The online media company eventually linked the database to Dexiga after finding internal account information of the company’s founder Rajini Jayaseelan. The startup’s website lists WinStar as a client.

Many unknowns

TechCrunch went as far as to download the My WinStar app and create an account to see if their signup details would appear in the accessible database. The showed up immediately and the company got in touch with with Dexiga.

Dexiga’s website says that it provides an “intuitive, feature-packed, and secure” mobile platform for casinos. The only client from which it has a testimonial is WinStar.

Dexiga explained that the issue stems from a log migration last month and did not reveal the initial data exposure date. The company’s founder also did not confirm if it is able to tell if anyone else accessed the database.

Leave a Reply

Your email address will not be published. Required fields are marked *