Slashdot Mirror
Online Casino Group Leaks Information on 108 Million Bets, Including User Details (zdnet.com)
An online casino group has leaked information on over 108 million bets, including details about customers' personal information, deposits, and withdrawals, ZDNet has learned. From the report: The data leaked from an ElasticSearch server that was left exposed online without a password, Justin Paine, the security researcher who discovered the server, told ZDNet. ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps' data indexing and search capabilities. Last week, Paine came across one such ElasticSearch instance that had been left unsecured online with no authentication to protect its sensitive content. From a first look, it was clear to Paine that the server contained data from an online betting portal.
[...] After an analysis of the URLs spotted in the server's data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games. Some of the domains that Paine spotted in the leaky server included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, just to name a few.
[...] After an analysis of the URLs spotted in the server's data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games. Some of the domains that Paine spotted in the leaky server included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, just to name a few.
Was embedding part of their salesman script really necessary?
Given that the DoJ just decided to gun for them, they are not helping themselves with stuff like this.
I'm not a betting man, but I'd wager my paycheck this is all due to shitty, greedy upper management.
Of course, IT security costs money. So what do you do when you already run a hugely profitable online gambling establishment? Right, you get stingy on IT security, so you can rake 0.00001% more cash (or so)!
Seriously, it is time for severe civil and criminal penalties when this happens, and no excuses.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Thought it said "108 million BATS" and was puzzling that one out...
"The data leaked from an ElasticSearch server that was left exposed online without a password,"
Their security seemed to have some elasticity I bet.
The article says "included a lot of sensitive information, such as real names, home addresses ... it is unclear ... if anyone outside the security researcher accessed the leaky server." Suppose my information had been stored on that server. Should I feel less violated if the person accessing it self-identifies as a "security researcher" rather than a "PII tourist"? Might a reasonable process start with: as soon as you notice the initial bits of non-public data, contact the hosting provider or applicable CSIRT, wait, and IMMEDIATELY STOP READING THE DATA?
This will make it easy to verify whether or not they're being honest.
It's like when you accidentally see your neighbor naked through the window. You have to stare for a few minutes to make sure your eyes aren't playing tricks, and you finish masturbating, before you tell everyone else what you saw.