Thousands of Airsoft players under threat after data breach

Malicious actors took advantage of 75,000 Airsoft players’ personal data after the community site forgot to put a password on its database backups.

On December 6th, 2023, the Cybernews research team discovered that the Airsoft enthusiast community site had failed to configure authentication for its Google Cloud Storage Bucket, which leaked a database backup from 2022 storing large amounts of highly sensitive user data.

The leak's impact is substantial, affecting 75,000 users and potentially reaching a significant portion of the Airsoft community in the US. Though precise figures for the Airsoft community in the US are unavailable, neighboring Canada reportedly had around 35,000 Airsoft players in 2021.

Heightening the severity, malicious actors have also accessed the leaked database. Cybernews discovered a 12GB file with dataairbase backup shared on a hackers' forum. Cybernews has tried several times to reach out to the company but, at the time of writing, has received no reply.

Airsoft email content
Contents of the “emails” table containing contents of sent emails

The leaked data includes:

  • Personal emails sent to users
  • Usernames and hashed passwords
  • Email addresses
  • Phone numbers
  • Home addresses
  • Social media links
  • Credentials of the site’s founders and admins
  • User posts

The platform, owned by Delaware-based company Airsoft C3, allows US Airsoft players to create accounts, find game fields nearby, and find teams to join and play against.

With an annual revenue of between $2-5 million, the company is listed as one of the main hosts of indoor and outdoor airsoft games, offering field, bb guns, airsoft guns, and protective gear for rent.

Cybersecurity threats

The publicly exposed database backup is sensitive, as it holds nearly all operational information required for the website to function properly, including user data.

Airsoft user table content
Contents of the “users” table, containing 75 thousand entries

The company may face legal and financial risks due to improper storage of personal data. Leaked credentials for administrative accounts could be used to compromise company infrastructure, which may cause further reputational and financial damages.

The evidence of malicious actors accessing and sharing the leaked database heightens the risk of potential attacks targeting the site and its users. With this leaked information, malicious actors could execute a range of attacks, such as account takeovers, credential stuffing, phishing, spam campaigns, identity theft, and doxxing.

airsoft notifications
notifications sent to users
Airsoft use scheme
“Users” table schema - shows what personal information was stored in the table.

More from Cybernews:

I installed 100 apps and left my iPhone idle: it reached out to Russia

Hacker jailed over $700M REvil ransomware scheme

The history behind five popular tech brand logos

Cannes hospital responds to LockBit ransom attack demands

Dropbox reports data breach, user info compromised

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked