Mexican Online Casino Leaks User Data After Internal Password Error

Posted on: November 16, 2023, 06:50h. 

Last updated on: November 17, 2023, 06:57h.

One of Mexico’s leading online casinos, Strendus, is the last data breach victim. The breach was allegedly caused by someone in the company forgotting to set a password on the server.

The Mexican flag flying from a pole
The Mexican flag flying from a pole. The Mexican online casino Strendus reportedly offered no security on its servers for months, allowing anyone to access privileged user data. (Image: Shutterstock)

Strendus, the online gaming platform of the Mexican conglomerate Logrand Entertainment Group, allegedly offered public access to 85GB of its server authentication logs. These contain hundreds of thousands of entries with private information about gamblers.

The exposed data, discovered by the Cybernews research team, included users’ true identities, home addresses, occupations, deposit histories, and more. Compounding the severity of the breach, data from another online casino, MustangMoney, was also found in the open.

Cybernews, which employs a team of white-hat hackers to scour the web for problems like this, highlighted the potential risks associated with the exposed information. It emphasized that careless oversight could be exploited for fraudulent activities, identity theft, or phishing attempts. It can even serve as a valuable resource for meticulously targeted cyberattacks.

Prolonged Exposure

The researchers identified Indicators of Compromise (IoC) within the server log entries, indicating a security incident or breach. The absence of regular monitoring for such indicators further heightened the risks for users. While the research points to a possible data theft, there is no hard evidence that anything was taken.

The delay in addressing the issue is of particular concern, as Cybernews first identified the breach in April. Strendus, however, only took action to rectify the situation in October. The prolonged exposure period underscores the potential threat to users with personal information laid bare for months.

A Strendus user's profile
A Strendus user’s profile showing the data that was available to anyone who accessed the server (Image: CyberNews)

Online casinos store extensive customer data to comply with gambling laws and adhere to Know Your Customer (KYC) regulations. These regulations are designed to verify the identity of users, thus preventing fraud, money laundering, and other illicit activities. The recent breach raises questions about the effectiveness of security measures implemented by these platforms.

The onus is for companies to prioritize and enhance their security protocols to protect their users from harm. There appears to be no indication that Strendus took the flaw seriously.

Cyberattacks on the Rise

The alarming rise in cyberattacks is evident with recent breaches targeting major entities like MGM Resorts International, Caesars Entertainment, and (possibly) Marina Bay Sands. These high-profile incidents underscore the escalating threat posed by cybercriminals.

While countries increasingly join forces to counter these attacks, hackers are adept at evolving their tactics and tools, presenting a formidable challenge to cybersecurity efforts. The attack on MGM Resorts exposed the personal details of more than 10 million guests, highlighting the severity of breaches in the hospitality sector.

Similarly, the breaches at Caesars Entertainment and Marina Bay Sands emphasized the vulnerability of even the most prominent organizations to sophisticated cyber threats. As countries collaborate to enhance cybersecurity measures, the dynamic nature of cyber threats necessitates continuous innovation to stay ahead of increasingly intelligent and adaptable hackers. This also means ensuring they don’t have free and unfettered access to company equipment.