GoodGamer Cloud Breach Exposes Personal Data of Over 380,000 Users

Close up of a person holding a smartphone in landscape mode

Our VPNOverview security team discovered a data breach affecting the online gaming platform, GoodGamer — a leak that exposed the information of over 380,000 users.

GoodGamer is a platform where users can play mobile games or compete in gaming tournaments for a chance to earn money. It is a publicly traded Canadian company and also has offices in the U.S. We’ve summarized our findings in the infographic below:

Infographic describing how the GoodGamer cloud breach happened, and what the details of the leak are

GoodGamer Breach Exposes Over 380,000 Users

Amazon Web Services (AWS) S3 buckets are widely used by companies of all sizes for a variety of purposes. Its uses include archive storage, backups, and big data analytics, to name a few. However, an improperly configured bucket is a potential security vulnerability, as anyone on the internet can access them and the files they hold.

Aaron Phillips, the cybersecurity professional who discovered the breach, found stored reports in a publicly accessible bucket. Upon further examination, we found 381,626 email addresses and phone numbers belonging to users who played games on the GoodGamer app between 2020 and 2021.

List with blurred emails of the GoodGamer Cloud Breach

Each email and phone number was also associated with a file about spending habits on the platform. We found information about how much money each user won, and how much money they deposited into their GoodGamer accounts.

The platform requires users to transfer funds from their PayPal or PayTM accounts in order to play games on the app.

Folder with blurred names of files of the GoodGamer Cloud Breach

Based on the user IDs exposed in the breach, we don’t think it affected every GoodGamer user. Unfortunately, the number of affected users was in the hundreds of thousands.

“GoodGamer closed this breach as soon as we reported it, but the fact these logs were exposed in the first place is extremely concerning,” Phillips said. “Developers that integrate NFTs and fintech in their games need to be held to a higher standard.”

Timeline of Discovery and Repair

Here’s a timeline of the breach:

We discovered user data belonging to GoodGamer being stored insecurely in an AWS S3 bucket.July 21st, 20222:15 PM EST
We notified GoodGamer that users’ email addresses and phone numbers were exposed on the web.July 21st, 20222:45 PM EST
GoodGamer secured their bucket and repaired the breach.July 21st, 20223:45 PM EST

VPNOverview’s security team notified GoodGamer through their online web form, and they repaired the breach in less than an hour.

GoodGamer did not respond to our requests for comments.

Gamers Face Heightened Risk of Targeted Attacks

The GoodGamer data breach — and data leaks like it — put affected users at a heightened risk of falling victim to cybercrimes. Information such as email addresses and phone numbers, coupled with financial information, leaves open the possibility of targeted phishing attacks.

Here, instead of mass-emailing random addresses, attackers could send specifically tailored phishing emails containing sensitive information to their targets. This adds legitimacy to the email, making it more likely that a target will fall for the trick.

This was evidenced in the Luna Moth campaign, which begins with a fake subscription renewal email, aimed at deceiving targets into clicking malicious links.

The affected users also could be the targets of NFT phishing attacks. GoodGamer has forayed into Play2Earn gaming with a game called Chosen Ones. It also has plans to create an NFT collection based on the game.

NFT scams are rising at an alarming rate as cybercriminals try to take advantage of the massive popularity surrounding NFT projects. In recent months, unsuspecting victims have received emails, Instagram DMs, and Discord chats from accounts impersonating legitimate projects such as Bored Ape Yacht Club (BAYC).

In light of these events, we recommend that the affected users watch out for suspicious emails or phone calls about gaming platforms or NFT drops. It is crucial to exercise caution even if the email or caller appears legitimate. Avoid clicking on any links or providing any information before you confirm the authenticity of the sender or caller.

Our detailed guide on avoiding phishing scams contains helpful tips on how you can spot potential schemes.

Don’t Play Games With Online Privacy

Good Gamer joins a long list of other companies that have been burned by AWS S3 buckets.  In 2017, Upguard uncovered one of the biggest recorded leaks involving the information of 198 million American voters. More recently, our research team found that cosmetic giant Sephora left an S3 bucket unsecured, exposing the data of 490,000 customers.

Our team also worked with gaming giant Sega to secure sensitive files which were stored in a publicly accessible S3 bucket. Sega addressed the vulnerability before malicious actors exploited any information.

User safety should be a high priority for every platform and developer. However, even platforms with the best intentions can slip up from time to time. Since gamers are at a higher risk of cyberattack, it’s crucial they protect themselves online. Many of the breaches we find contain IP addresses associated with emails because developers track every player’s account.

Using a VPN while gaming can help protect your privacy to a certain extent. A VPN masks your IP address and encrypts your network traffic.

“I’m not sure how anyone can read about a breach like this and not think about online privacy. These companies want every piece of information they can get for marketing and tracking. It’s up to all of us to protect ourselves whenever we connect to an online service,” Phillips said.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.