Roughly 30GB of data impacting tens of thousands of users has been exposed due to a misconfigured Elasticsearch server owned by popular gaming site VIPGames.com. The site has 100,000 Google Play downloads and boasts 20,000 active daily players globally. Researchers at WizCase found the server, which contained no encryption or password protection. 23 records were exposed, including information such as usernames, device details, hashed passwords, Facebook IDs, IP addresses, and in-game transaction details.
In total, 66,000 separate users potentially had sensitive information exposed to bad actors on the web due to the misconfigured server. However, there are no signs of access so far. The information could be used to conduct convincing phishing attacks against the victims. VIPGames offers card games and others such as Crazy Eights, Rummy, Dominoes, Backgammon, Ludo, and Yatzy.