The Battle for the Galaxy game developer inadvertently exposed personal data for millions of users through a misconfigured cloud database. Researchers from the cyber security firm WizCase said the data leak exposed email addresses, IP addresses, Facebook data, and other details for nearly six million game players.
They added that the leaked data was accessible to anybody with the link because the database wasn’t password protected.
Battle for the Galaxy depicts a combat scenario by allowing players to build armies and battle other players’ forces. The game is available on Android, iPhone, Steam, and from the company’s servers through a browser.
The game belongs to a China-based company AMT Games whose development offices are located in Russia, while corporate offices are in China.
Personal data and transaction information exposed in the Battle for the Galaxy data leak
The unsecured ElasticSearch server belonging to the China-based game developer exposed 1.47 terabytes of customer data, according to WizCase researchers.
The treasure trove included 5.9 million player profiles, 2 million transaction records, and 587,000 feedback messages.
The feedback messages displayed the users’ Account ID, email addresses, and the feedback rating.
Exposed player profile data includes playerId, username, country of origin, the amount spent, Facebook, Apple, and Google account data linked to their gaming account.
Transaction data exposed the name of the item purchased, its price, time of purchase, payment provider such as Amazon, Apple, Facebook, Google, Samsung, Steam, Amazon, among others. Additionally, some transaction records contained IP addresses for some buyers.
Under 1% of players earn the Battle for the Galaxy game developer 90% of the profits
WizCase researchers found that players could spend over $907 through in-app purchases. However, out of 10,000 players, 8,552 did not make any purchases, 746 spent less than $1, while 651 spent between $1 and $100.
Only 33 players out of a 10,000-sample spent more than $100. Consequently, the researchers discovered that 0.33% of the players earned the game developer 90% of the profits.
“Users who spend large amounts of money on in-app purchases for mobile games are called ‘whales.’ These users are prized and preyed on by mobile games to increase their profits,” the researchers wrote.
Game developers use various tactics such as loot boxes, locking progress, and using long delay timers to coerce the “whales” to spend via in-app purchases. They also target them using ads and special offers to increase the possibility of making purchases.
“While we cannot comment on if Battle for the Galaxy specifically uses predatory business practices, these practices, especially loot boxes, are common in the bulk of free-to-play mobile games as well as console/PC games, like Overwatch, League of Legends, and Fortnite,” the researchers said.
AMT Games company secures exposed ElasticSearch database server
WizCase informed the Battle for the Galaxy game developer of the data leak. Although AMT games did not respond to further queries, the company secured the database preventing further access.
However, WizCase warned that if unethical hackers and criminals on the Internet accessed the personal information exposed, they could use it for phishing scams and spreading malware.
In April, malicious actors used the Call of Duty “War Zone” to deliver malware by promising players various cheat tools. Similarly, the role-playing video game Cyberpunk 2077 experienced attacks shortly after release while spammers targeted the Among Us players late last year. A data leak on Resident Evil exposed 400,000 player user accounts while hackers stole 46 million records from the online children’s game Animal Jam.
The information could also allow bad actors to pose as game support and target users having various issues with the service. Additionally, competitors who potentially gained access to that players’ personal information could it to migrate them to their platform.
“With data on how much money has been spent per account, these conmen could target the highest-paying users, many of whom are children judging by their game history, time spent in game, circle of friends in-game, etc. and have an even higher chance of success than they would otherwise.”
WizCase advised users to disclose minimal information when creating accounts or buying Online. They also advised parents to avoid giving children their credit card information to prevent them from being preyed on by game developers and cybercriminals alike.
Commenting on the Battle for the Galaxy data leak, Javvad Malik, Security Awareness Advocate at KnowBe4, says cloud misconfigurations were common, exposing hundreds of thousands of customer records.
“A point to note is that these exposures aren’t due to technical controls not being made available,” Malik added. “Rather, it is caused by human error, either through not enabling the right configuration, not being aware of what needs to be set, or a failure in checking to ensure all the settings are correct.”
He noted that the security lapses could be addressed by adopting a “culture of security.” This strategy involves every team member taking the responsibility of ensuring that all systems were secured and working properly.
“Without this kind of approach, we will likely see these kinds of exposures continue,” Malik concluded.
Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group, says that organizations should define an exception-based model for configuration settings to prevent potential data leaks.
“Under this model, an audit level review of configuration data is performed to create a set of approved configuration settings and files,” Mackey explains. “Any update to those previously approved settings then requires that same audit level review for the changes, and the current configuration is always validated against approved settings.
Chinese game developer exposed 5.9 million Battle for the Galaxy players’ #personaldata and transaction details through a misconfigured ElasticSearch server. #cybersecurity #respectdata
Click to Tweet
“While there are a number of technologies that can be used to implement exception-based updates, this is a case where a well-defined process with automated checks is far more valuable than the technology implementing the process.”