Clubillion Social Gambling App User Data Exposed in Unsecured Database

  • Clubillion ranks as the #1 “social slots” app on both iOS and Android
  • A database belonging to Clubillion was left unsecured on AWS
  • The database contained every user action and personally identifiable information
  • There is no evidence of criminal use, but the data could be used in phishing scams
Dan Katz

Dan Katz graduated with a BS in Commerce from the University of Virginia and an MBA from Emory University. He clearly uses neither of those degrees now, having been writing about the gambling industry (specializing in poker) since 2005. Prior to that, he was an IT and management consultant. He is an avid gamer, primarily on PC, and enjoys collecting retro video games and consoles; finding room to set them all up is his current challenge. Dan lives in Atlanta, Georgia with his wife and two children. You can get in touch with Dan at dan@vegasslotsonline.com.

Green "shield lock" on top of green computer text and images
A team at vpnMentor found an unsecured database owned by popular social gambling app Clubillion containing 200 million user records per day. [Image: Shutterstock.com]

200 million records per day

One of the world’s most popular social gambling mobile apps left a database unsecured and unencrypted, allowing customers’ personal data to be accessible to anyone who knew where to look. According to a Tuesday report from vpnMentor, the social casino app Clubillion exposed approximately 200 million user records per day simply because of lax security.

The vpnMentor research team initially discovered the problem on March 19, finding the database hosted on Amazon Web Services (AWS) during the course of working on a web mapping project. It contacted Clubillion’s developers on March 23 and AWS on March 31. The leak was closed on April 5.

The vpnMentor team said that it was diligent in verifying that everything it found was accurate so that Clubillion could not deny the database leak’s existence or brush it off as inconsequential. Hence, the four-day delay from discovery to contact.

Clubillion is ranked as the top “social slots” casino app in both marketplaces.

Clubillion is a free-to-play social casino app, available for both iOS and Android. It is highly rated on both platforms – 4.6 stars on the Google Play store and 4.8 stars on the Apple App Store – and has been downloaded millions of times. Released in 2019, Clubillion is ranked as the top “social slots” casino app in both marketplaces.

Personally identifiable information included

According to vpnMentor, the database contained “technical logs” for Clubmillion users. It tracked every action a user made on the social gambling app. Records logged included things like “win”, “lose”, “enter game”, and “update account”.

The database was active and live, not an archive; new entries continued to be added as the team was investigating. They estimated that it recorded an average of 200 million records per day – 50GB worth of data.

the database also included IP addresses, e-mail addresses, winnings, and private messages

Things like “win” or “lose” are fairly harmless, but the database also included IP addresses, e-mail addresses, winnings, and private messages – all things that could personally identify a player.

The United States led the daily average user count on the database, with over 10,000 users affected per day, but every country where the Clubillion app can be downloaded had hundreds or thousands of users’ actions records on a daily basis.

Data could be used by scammers

Even if real names and postal addresses were not in the database (we assume they were not, as they were not mentioned), vpnMentor stressed in its report that a hacker could easily use the available information to scam customers. Enough information was in the database to allow a hacker to set up phishing schemes to try to get a person’s credit card information, additional personal details, or trick them into clicking a link that installs spyware or malware.

If malware invades a smartphone, it could then potentially access other apps, send texts, make phone calls, or steal contact information.

vpnMentor said that studies have found that gambling apps are “especially prone to attacks and hacking” and often lack transparency. In one study, 14% of the 23,000 investigated were of “moderate risk” to users. 52 contained verified malicious software.

There is no indication that criminals did find the Clubillion dataset, as vpnMentor only stumbled upon it in the course of its work, but the threat is possible.

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Related News

We use cookies on this site to enhance your user experience.
By clicking any link on this page, you are giving consent to our use of cookies.

Cookie Overview

VegasSlotsOnline uses cookies to enhance your experience as you navigate through the website. Some of these cookies are categorized as essential because they are essential for the working of the basic functionalities of the website. Essential cookies are stored on your browser. We also use third-party cookies that help us analyze and understand how you use this website. These are non-essential cookies and are stored on your browser only with your consent. You have the option to opt-out of non-essential cookies, but this may affect your browsing experience.

Necessary  (Always Enabled)

Essential cookies are absolutely essential for the website to function properly. This category only includes cookies that ensure the basic functionalities and security features of the website. These cookies do not store any personal information.

Non-Essential ( Enabled Disabled )

Any cookies that may not be particularly necessary for the website to function and are used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-essential cookies. It is mandatory to procure user consent prior to running these cookies on your website.