Asantee Games, a game development company, has exposed data from more than 14 million players due to its failure to set up a password.
Asantee Games is a small game development studio founded in 2012. The company’s flagship project is the Magic Rampage game, released in December 2013 and was downloaded over 10 million times on the Android and iOS platforms.
Cybernews research reveals that the leak at the Brazil-based company was caused by a misconfiguration on MongoDB, a document-oriented database platform, leaving the company’s data passwordless and publicly accessible. Researchers contacted the company, and access to the database was secured.
The leaked data includes:
- Players’ usernames
- Players’ emails
- Players’ device data
- Players’ statistics
- Admin credentials with encrypted passwords
Leaking such data poses risks to users as it could be used for various attack vectors. Exposed usernames and emails can be exploited by malicious actors for identity theft, committing fraud, or creating fake identities.
The affected users can also be targeted by phishing attacks, where attackers send deceptive emails, pretending to be legitimate entities to trick users into revealing sensitive information or installing malware.
With access to admin credentials, malicious actors might attempt to gain access to the company’s internal systems, leading to additional harm and potentially exposing more user data.
The company told Cybernews that it had taken immediate action to secure its systems. “Our team took immediate action to secure our systems and further strengthen our database security to prevent such occurrences in the future. It is important to note that no other critical personal data was compromised. We do not store sensitive information such as names, birth dates, or addresses, hence minimizing the potential impact on our users,” commented the company’s spokesman.
To mitigate the risks of such incidents, it’s essential to always set up authentication mechanisms to control access to MongoDB databases. It’s also important to use encryption to protect data both in transit and at rest.
Your email address will not be published. Required fields are markedmarked