WinStar Casino’s Mobile App Accidentally Exposed Customer Data | Maqvi News

Popular casino app My WinStar—self-titled as the “world’s biggest casino”—was recently struck by a security lapse that led to the exposure of a database that contained their customers’ personal details. As of now, it’s unclear how many user’s details have been compromised.

The app belongs to an Oklahoma-based casino and resort called WinStar and is developed by a Nevada-based tech company called Dexiga. The app is used by the guests of the resort during their stay to access self-service options such as accessing their loyalty benefits, reward points, and casino winnings.

The leak was discovered by Anurag Sen, a security researcher with a knack for discovering accidental leaks and exposed sensitive data.

Further investigation revealed that the leaked database contained a lot of personal details such as the customer’s name, contact details, gender, home address, and even IP address.

The extent of damage is still unknown but it was found that some of the user’s date of birth were edited and replaced with asterisks. The rest of the information was not encrypted which shows that the leak might have happened recently.

How Did The Leak Happen?

Investigations so far have linked the initial source of the leak to Dexiga. It accidentally left one of its logging databases online without a password. So anyone who knew the database’s IP address could access WinStar’s customer files using just their browser; no fancy tools needed.

An internal user account and password that belongs to Dexiga founder Rajini Jayaseelan were also found in the exposed data, confirming the connection.

Luckily, the company was swift in taking action. As soon as they were notified about the exposure, the database was taken offline.

In an email statement, Jayaseelan said that they have secured the database now. But the exposure shouldn’t be a huge cause of concern as all the data in it was “publicly available information”. No confidential data was compromised.

Neither Jayaseelan nor Dexiga confirmed the exact date when the database was exposed so it’s hard to tell how long the leak went undetected. But we do know for a fact that up until January 26, the database was secure.

Speaking of the timeline behind the leak, the casino said that it all likely started in late January post a long migration.

The company has remained mum on many important questions. For instance, when asked whether they have the necessary tools to determine whether anyone else accessed the database while it was exposed, they didn’t give a clear answer.

It’s also unclear whether Dexiga notified WinStar and its customers about the leak. WinStar’s general manager, Jack Parkinson, was unavailable for comment.

This news comes at the heels of Chainalysis’s report stating that cyberattack extortions reached an all-time high at $1.1 billion last year. This goes on to show that the industry desperately needs better data management and security tools so that customer information isn’t so easily compromised.