Major arcade game maker leaks millions of records via WeChat mini app

Published: 20 May 2026
Last updated: 26 May 2026
arcade games china
CFOTO/Future Publishing via Getty Images.
Listen to this article

Wahlap, one of the world’s top arcade makers, leaked nearly 19 million user records, ranging from full names to unique IDs. Our researchers believe the Wahlap data leak also includes data related to the WeChat ecosystem.

Key takeaways:
  • Wahlap leaked 18.9 million records including WeChat Union IDs, phone numbers, and gaming behavior through exposed servers.
  • The leak also exposed underage users with personally identifiable information including names, birthdates, and location data.
  • Leaked data enables targeted phishing attacks through detailed user profiles combining gaming habits, locations, and WeChat identifiers.
  • The exposed Elasticsearch cluster remained publicly accessible from at east March 19th until May 18th, 2026 before being secured.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

No one is immune to data leaks in the 21st century. Even playing arcade games, an analog experience by design, may lead to your data ending up online. On March 19th, our team discovered three exposed servers containing data for Wahlap users.

ADVERTISEMENT

Wahlap is a China-based arcade maker, one of the largest in the world, partnering with gaming giants such as Sega, Warehouse of Games, Timezone, and others.

Cybernews researchers believe that the exposed server cluster contained user details from the WeChat ecosystem. WeChat is a Tencent-made Chinese super app used for anything from instant messaging to mobile payments.

wahlap data sample1
Sample of the leaked data. Image by Cybernews.

In total, 18.9 million records were left exposed online, covering Wahlap members’ identifiers, gaming behavior data, asset information, customer snapshots, and application logs.

“At least in theory, the Wahlap data leak allows malicious actors to craft detailed and accurate user profiles that can be used for highly targeted fraud and social engineering attacks,” our team explained.

We have reached out to Wahlap and will update this article once we receive a reply. Several days after the discovery, the team noticed that the exposed cluster was no longer publicly accessible.

What’s included in the Wahlap data leak?

The exposed data was stored in an Elasticsearch cluster comprising three servers owned by Wahlap. Organizations and businesses use Elasticsearch because it supports rapid sorting and near-real-time data searching.

ADVERTISEMENT

According to our team, the data most likely leaked via Wahlap’s WeChat mini programs. WeChat mini programs are lightweight applications that run inside the WeChat ecosystem.

Instead of downloading separate apps, users can access these mini apps instantly for services like shopping, games, ride-hailing, or payments, without requiring additional storage on their mobile devices. Based on the leaked data, researchers assume that Wahlap has implemented such mini programs to primarily enable users to pay for games.

Meanwhile, the exposed information can be broadly put into five index categories:

  • Wahlap members data
  • Members’ gaming behavior data
  • Wahlap asset data
  • Consumer snapshot data
  • Other indices
wahlap data sample2
Sample of the leaked data. Image by Cybernews.

The first category, Wahlap members' data, contained the largest amount, over 10 gigabytes. Out of nearly 7.9 million records that reveal user data, the team observed:

  • 6.6M unique Union IDs
  • 1.7M unique phone numbers
  • 24k dates of birth and full names

A Union ID is a unique user identifier provided by WeChat that stays consistent across multiple apps under the same account. Union ID lets developers recognize the same user across different mini programs, official accounts, or mobile apps, enabling unified user profiles and cross-platform data tracking.

“Additionally, the records contained data that revealed user IDs within the Wahlap ecosystem referring to different available mini programs as well as registration dates for specific games,” our researchers explained.

wahlap data sample3
Image by Cybernews.
ADVERTISEMENT

Worryingly, among users' personally identifiable information, the team identified around 3.8k records for underage Wahlap users.

The second category, members’ gaming behavior, covers 490MB of data, including 1.3M total records with at least 295k unique union IDs.

“These indices additionally include locations of user favorites and last visited arcade machine locations, frequency of both specific games played and general activity,” our researchers said.

The third category, Wahlap asset data, consists of over 1.4GB of data with nearly 2M records, including 1.96M union IDs and user-owned coupon information such as IDs, expiration dates, and coupon counts. The team could not determine whether the IDs are tied to coupons that can be used or are internal system identifiers.

Consumer snapshot indices, together with other indices, contained another 7.7M union ID and application logs.

wahlap data sample4
Image by Cybernews.

While the team did not find evidence that threat actors exploited the leaked data, if our team found it online, other, less high-minded individuals may have too. Malicious actors operate billions of bots that scour the web for exposed data and automatically siphon it to their servers.

In the wrong hands, the Wahlap data leak could increase cybersecurity risks for exposed individuals, especially concerning phishing and social engineering attacks. With location information at hand, attackers can resort to stalking and profiling users.

Major Chinese data leaks

Like many other major industrialized nations, China is not immune to data leaks. Earlier this year, we wrote about another exposed Elasticsearch cluster containing 8.7 billion records.

ADVERTISEMENT

Last September, an anonymous source leaked over 500GB of internal documents from the Chinese internet censorship program, known as the Great Firewall of China.

Another data leak we saw from China was also discovered by Cybernews researchers. It occurred in May 2025, when over 4 billion documents containing financial data, WeChat and Alipay details, and other sensitive personal data were exposed to the public.

Likely one of the most damaging data leaks to plague China took place in 2022, after malicious actors shared a massive dataset weighing 23 terabytes, supposedly covering information about a billion Chinese nationals. The database was allegedly stolen from the Shanghai police.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Disclosure timeline

  • Leak discovered: March 19th, 2026
  • Initial disclosure: March 24th, 2026
  • Leak observed closed: May 18th, 2026

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked