100 million online bets exposed by leaky database

Yet another organisation has been spotted copying important data to Elasticsearch cloud storage without remembering to secure it.

Last week, it was US company VOIPo that accidentally exposed call logs, SMS data, and company credentials in Elasticsearch where it was spotted by researcher Justin Paine.

This week, Paine has returned to tell ZDNet of a second cache of Elasticsearch data he found only days ago that appears to have been connected to online betting sites.

Sensitive data such as:

Real names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information, and a list of played games.

In addition, Paine found 108 million records connected to online bets, deposits, wins and withdrawals, complete with partially redacted payment card data.

According to ZDNet, the betting domains included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, connected to companies registered in Cyprus and the Caribbean.

It’s not clear how far back the data might go, but anyone who placed bets through these sites would be at risk of having their win and loss information made public, opening users up to potential extortion.

As with the VOIPo data leak, there’s no evidence that the information has fallen into the wrong hands, although isn’t terribly reassuring to online gamblers whose data might be part of this cache.

In a positive development, Paine said the data has been taken down, although whether this was by the affected company (or companies) or hosting provider OVH is unclear.

The elastic snaps

The involvement of Elasticsearch in these incidents is a consequence of the open source search tool’s huge popularity. If something becomes popular enough, eventually someone will misuse or misconfigure it.

What should worry us is that this seems to have been happening a lot recently.

Recent incidents include the exposure of 57 million US citizens in November, as well as similar incidents involving Sky Brasil and last June’s Exactis data broker leak involving a reported 340 million records.

Together, these leaks probably join dots that could connect cybercriminals to hundreds of millions of people.

All of these exposed databases were found by independent researchers using tools anyone, including cybercriminals, can access.

That is the important point – the problem of exposed Elasticsearch data is out of the bag and people with different motivations are now looking for it.