Publicly accessible data
The WinStar World Casino and Resort in Oklahoma is the self-proclaimed largest land-based casino in the world by square footage. Its My WinStar app allows patrons to keep track of their loyalty rewards, access services at the resort, and view their gambling results. TechCrunch revealed late on Friday that a database containing the personal data of an unknown number of users of this app was leaked.
did not put password protection on one of its online logging databases
The weak point was reportedly the developer of the app, a Nevada-based startup called Dexiga. The company did not put password protection on one of its online logging databases, which meant that anyone who knew the public IP address was able to access the My WinStar app customer data. TechCrunch contacted Dexiga about the issue and the company quickly took down the database.
Uncovering the leak
Security researcher Anurag Shen discovered the issue without knowing what company’s database it was. He contacted TechCrunch after finding the exposed data that includes email addresses, phone numbers, genders, IP addresses, full names, and residential addresses.
TechCrunch verified the issue and found that the data was not encrypted. Certain types of sensitive information like the dates of birth were redacted. The online media company eventually linked the database to Dexiga after finding internal account information of the company’s founder Rajini Jayaseelan. The startup’s website lists WinStar as a client.
Many unknowns
TechCrunch went as far as to download the My WinStar app and create an account to see if their signup details would appear in the accessible database. The showed up immediately and the company got in touch with with Dexiga.
Dexiga explained that the issue stems from a log migration last month and did not reveal the initial data exposure date. The company’s founder also did not confirm if it is able to tell if anyone else accessed the database.