Customers of the WinStar casino in Oklahoma might be well-advised to check their financial accounts regularly for a while, as the casino’s app’s database was hacked, making patrons’ personal information easily visible. More accurately, the app wasn’t specifically hacked, but rather the customer database was left unsecured on the internet, allowing bad actors to potentially swoop in and gather records to their heart’s content.
Anurag Sen, a security researcher who last year discovered a security breach at India’s PokerBaazi online poker room, found the database, but did not know it belonged to WinStar. He contacted TechCrunch for assistance, showing the site scores of customer information such as full names, phone numbers, e-mail addresses, home addresses, genders, IP addresses, and dates of birth (DOBs were redacted).
None of the data was encrypted. Digger deeper into the records, TechCrunch found an “internal account and password” connected to Rajini Jayaseelan, the founder of Dexiga, the company that developed the My WinStar app.
Now believing they were looking at WinStar customer data, TechCrunch created a WinStar app account as a test. Sure enough, their customer record immediately appeared in the database, so they knew that the My WinStar app was the culprit.
The reason the database – and the customer information contained within – was exposed seems to be largely carelessness. According to TechCrunch, Dexiga “left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser.”
TechCrunch contacted Dexiga and said that the database “became inaccessible a short time after,” so it looks like the company plugged the hole. Jayaseelan said that the database only contained “publicly available information” and that no sensitive info – say, credit card numbers – was compromised.
Dexiga said a January log migration created the issue, but did not give TechCrunch a specific date as to when customer information may have begun to be exposed.
““We are further investigating the incident, continue to monitor our IT systems, and will take necessary future actions accordingly,” Dexiga said.
There are still questions left unanswered. Dexiga did not tell TechCrunch how many customer records were exposed, whether or not it has told WinStar, if it would notify customers, or if it has any way to know who else besides Anurag Sen and TechCrunch gained access to the database.