The Chinese developers of popular Android gaming apps exposed the personal and device details of over one million gamers through an unsecured server.
EskyFun Entertainment Network Limited that owns a 134GB server had exposed and published data online.
EskyFun is the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M.
The users of the games Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok were involved in the data leak. In total, they account for over 1.6 million downloads.
According to vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, an alleged 365,630,387 records containing data from June 2021 onwards with a log of previous seven days records were leaked.
The developers impose aggressive and deeply troubling tracking, analytics, and permissions settings while downloading and installing their software. So the variety of data collected was far more than that is required from a mobile game user.
The records included IP and IMEI numbers, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords stored in plaintext, and support requests, among other data.
vpnMentor estimates that more than one million users may have had their information exposed.
The unsecured server was discovered on July 5 and EskyFun was contacted two days later. The company did not respond and vpnMentor made a second attempt on July 27 and later reached out to Hong Kong CERT and the server was secured on July 28.
The researchers stated that by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse.