EskyFun stored a trove of gamers’ data on an Elastricsearch server that was exposed to the public without any security authentication.
The research team at vpnMentor reported an error on the part of famous Chinese Android game developer EskyFun that leaked sensitive data of at least one million online gamers.
Reportedly, EskyFun used an unsecured Elasticsearch server for storing vast amounts of data collected from users. Researchers revealed that the information was stored in rolling 7 days’ user data sets for around three of the company’s games, which contained over 360 million pieces of data.
“This is an enormous amount of data collected from a few small, not well-known mobile games,” researchers noted in their blog post.
Breach Discovered in July 2021
The data date back to July 2021, and as soon as the unprotected server was discovered, VPNMentor’s team informed EskyFun but, the company did not respond. VPNMentor notified the company for a second time a few weeks later and then informed Hong Kong CERT/ Computer Emergency Response Team, after which the issue was addressed.
About the Impacted Games
EskyFun Entertainment Network Limited is a well-known game publisher from China with many famous Android games published so far, including role-playing and fantasy genre games.
vpnMentor’s report details that the games affected by this leak include:
- Rainbow Story: Fantasy MMORPG boasting 500,000 downloads
- Metamorph M with 100,000+ downloads
- Dynasty Heroes: Legends of Samkok, which has been downloaded over 1,000,0000 times.
The impacted games have a cumulative total of 1.5 million downloads.
Gamers Exposed to All Kinds of Harms
EskyFun’s security lapse has exposed around one million users to all types of cyber fraud, including ransomware. Most of the data is sensitive, which surprised VPNMentor’s team as there was no need to collect this data. This data exposure is caused due to EskyFun’s “aggressive and deeply troubling tracking, analytics, and permission settings.”
“There was no need for a video game company to be keeping such detailed files on its users,” according to the report.