Team Liquid’s wiki leak exposes 118K users


Liquipedia, an online e-sports platform run by Team Liquid, exposed a database revealing its users’ email addresses and other details.

Users of the e-sports knowledge base were exposed via a publicly accessible and passwordless MongoDB database, the Cybernews research team has discovered. The database was closed after researchers informed Liquipedia’s admins about the issue.

Liquipedia is an encyclopedia on various video games, covering everything from history to tactics. The platform was founded and is run by Team Liquid, a Netherlands-based professional e-sports organization owned by aXiomatic Gaming, an e-sports and gaming enabler.

ADVERTISEMENT

According to researchers, the leak revealed an authentication server with login details and information on Liquipedia’s users along with authentication details for Liquipedia admins.

However, following Cybernews’ ethical guidelines, the team did not access the server.

The platform confirmed to Cybernews it noticed the data leak, fixed it and informed users about what happened.

"We fixed the breach within hours after discovering the incident, have informed our users as well as all relevant data protection authorities, have thoroughly looked into the direct causes and root causes of the data breach, and have taken measures, both on a technological as well as process level, to prevent future data breaches," Liquipedia's representative told Cybernews.

A part of the exposed information was contained in a user collection weighing 77MB, containing data on nearly 119,000 users. The exposed Liquipedia user details include:

  • User IDs
  • User emails
  • Email verification status
  • Two-factor authentication status
  • Account creation date

“The leaked information could be exploited for fraudulent activities, compromising the security and reputation of both the e-sports organization and its user base,” researchers said.

Liquipedia data
Sample of the leaked data. Image by Cybernews.
ADVERTISEMENT

Alongside user information, administrator-level details were also present in the “clients” collection. Exposed information included social media secrets, pieces of sensitive information that authorize access to an environment, and private RSA keys.

RSA (Rivest–Shamir–Adleman) is an encryption system used for secure data transmission. Researchers surmised that secrets and private RSA keys were used to authenticate admin access to Liquipedia’s Reddit, Discord, Twitch, and X accounts.

“The exposure of email and access credentials to social media sites pose a threat to both the organization and its customers. This breach not only compromises individual privacy but also opens avenues for threat actors to engage in phishing attacks, unauthorized access to personal accounts, and potential manipulation of the organization’s social media platforms,” researchers said.

Our team contacted Liquipedia in late October. The company responded on the same day and immediately took down the misconfigured MongoDB instance.

Liquipedia’s founder, Team Liquid, is among the most prestigious e-sports organizations in the world, with over two decades of experience. The team competes in several divisions, including Fortnite, Counter-Strike 2, Dota 2, League of Legends, StarCraft II, World of Warcraft, and others.

Updated on January 15th [08:45 AM GMT] with a statement from Liquipedia.