It has been reported that casual gaming provider VIP Games has suffered a data breach, exposing millions of records relating to users of the service. VIP games have more than 20,000 active daily players and includes the popular games such as Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo, and Yatzy. The exposed data includes usernames, emails, device details, IP addresses, hashed passwords, Facebook IDs, Twitter IDs, Google IDs, in-game transaction details, bets, and details regarding banned players. Although the password is encrypted with the Bcrypt algorithms using 10 rounds but it can be cracked with some effort.
<p>Another week, another ElasticSearch misconfigured server. This time, unfortunately, the gaming provider VIP Games has suffered a data breach. It is clear that those that choose to use cloud-based databases must perform the necessary due diligence to configure and secure every corner of the system properly. Sadly, with the recent wave of ElasticSearch, MongoDB, Big Data, and other Open Source breaches, it does look as though enterprises need to redouble their efforts on ensuring data security. Just because a product is widely available and highly scalable doesn’t mean that basic security measures and configurations are automatically applied or are robust enough to cover all security gaps. Beyond ensuring that products and services are correctly deployed and maintained by knowledgeable, experienced staff, organizations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised and data actually falls into the wrong hands. If anyone is still snoozing while dreaming that their data is safe while “hidden in plain sight” on an “anonymous” cloud resource, the string of lapses around ElasticSearch instances is a wakeup call in the form of a 3 am fire alarm</p>
<p>Unsecured servers are not uncommon and this comes down to a lack of visibility and asset monitoring. One foundation of security is visibility, so it is essential to know what your estate looks like and what needs to be secured. With the cloud deployment model, systems can be spun-up and deployed in minutes, but they can also be easily forgotten about, leaving an organisation open to exposure. Organisations should implement continuous asset profiling & alerting, which is in real-time and non-stop, in order to detect rogue deployments and keep track of their assets.</p> <p> </p> <p>Luckily for VIP Games, the passwords were encrypted according to best practice. Bcrypt (with multiple rounds) is generally a good solution and would be pretty difficult to crack. However, from a GDPR standpoint, they may not be as lucky. If the data exposed contains Personal Identifiable Information (PII), such as emails or social profiles, these could be used for phishing attacks, ransomware, malware, and possibly blackmail depending on what is exposed.</p>