An Elasticsearch server holding personal data of 6 million players of the popular mobile game Battle for the Galaxy was discovered insecure and containing over 1 terabyte of unencrypted data, meaning anyone with a link could access data stored on the repository.
Ethical hackers WizCase found the data and quickly alerted AMT Games, the publisher of Battle of the Galaxy, that the customer data was exposed. According to WizCase, AMT Games has not responded to inquiries, but the leaky server is now secure.
Battle for the Galaxy is available for Android and iOS devices, via the Steam gaming platform and also through the game publisher’s browser-based version of the game. The game follows the open world format, allowing players build worlds and armies that can be directed to battle other user armies.
A Galaxy of Open Data
WizCase said, in all 1.47 terabytes of data was left vulnerable. The stockpile included 5.9 million player profiles, 2 million transactions and 587,000 feedback messages. Feedback massages included account IDs, email addresses, in-game purchase prices and payment providers. Pulled together, this database could provide a rich set of data for cybercriminals to hone their phishing emails to make them look legitimate, WizCase said.
“For example, with the email addresses and specific details of user issues with the service such as in transactions and developer messages could allow bad actors to pose as game support and direct users to malicious websites where their credit card details can be stolen,” WizCase said.
“With data on how much money has been spent per account, these conmen could target the highest-paying users, many of whom are children judging by their game history, time spent in game, circle of friends in-game, etc. and have an even higher chance of success than they would otherwise,” according to the WizCase report published Wednesday.
Less Than 1 Percent of Players Generate 90 Percent of Earnings
Interestingly, an analysis of Battle for the Galaxy player transaction data by WizCase showed only .33 percent of the users in the sample were responsible for 90 percent of the income earned off all the total transactions. This tiny fraction of players accounting for most of the game’s business indicated to WizeCase that the game is aggressively profiting on a minority of users.
“While we cannot comment on if Battle for the Galaxy specifically uses predatory business practices, these practices, especially loot boxes, are common in the bulk of free-to-play mobile games as well as console/PC games, like Overwatch, League of Legends, and Fortnite. Fortnite’s practices were so egregious that its publisher, Epic Games, was sued in 2019 and settled by giving away 1,000 of its in-game V-Bucks currency to claimants. Fortnite discontinued its loot box practices in 2019, revealing what users would be getting in the game’s Loot Llamas before purchase,” WizCase wrote.
Gamers Beware
Threatpost contacted AMT Games and is waiting for a reply regarding questions about the WizCase report and allegations. AMT Games Facebook page said its development offices are in Russia. WizCase identified the corporate headquarters were based in China.
In April, Call of Duty “War Zone” was used as cover for scammers peddling fake game cheats to deliver malware. Blockbuster game Resident Evil suffered a major data breach in January of this year, exposing the data of as many as 400,000 players. And of course, the Cyberpunk 2077 release was plagued by attacks. Even the kids are under siege. Last October, the game Among Us was temporarily shut down by an attacker named Eris Loris who spammed players until the game was unplayable.
“We recommend always inputting the bare minimum of information when making a purchase or setting up an account on the internet,” WizCase advised. “The less information you give hackers to work with, the less vulnerable you are to attack.”
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.