Our VPNOverview security team discovered a data breach affecting the online gaming platform, GoodGamer — a leak that exposed the information of over 380,000 users.
GoodGamer is a platform where users can play mobile games or compete in gaming tournaments for a chance to earn money. It is a publicly traded Canadian company and also has offices in the U.S. We’ve summarized our findings in the infographic below:
GoodGamer Breach Exposes Over 380,000 Users
Amazon Web Services (AWS) S3 buckets are widely used by companies of all sizes for a variety of purposes. Its uses include archive storage, backups, and big data analytics, to name a few. However, an improperly configured bucket is a potential security vulnerability, as anyone on the internet can access them and the files they hold.
Aaron Phillips, the cybersecurity professional who discovered the breach, found stored reports in a publicly accessible bucket. Upon further examination, we found 381,626 email addresses and phone numbers belonging to users who played games on the GoodGamer app between 2020 and 2021.
Each email and phone number was also associated with a file about spending habits on the platform. We found information about how much money each user won, and how much money they deposited into their GoodGamer accounts.
The platform requires users to transfer funds from their PayPal or PayTM accounts in order to play games on the app.
Based on the user IDs exposed in the breach, we don’t think it affected every GoodGamer user. Unfortunately, the number of affected users was in the hundreds of thousands.
“GoodGamer closed this breach as soon as we reported it, but the fact these logs were exposed in the first place is extremely concerning,” Phillips said. “Developers that integrate NFTs and fintech in their games need to be held to a higher standard.”
Timeline of Discovery and Repair
Here’s a timeline of the breach:
|We discovered user data belonging to GoodGamer being stored insecurely in an AWS S3 bucket.||July 21st, 2022||2:15 PM EST|
|We notified GoodGamer that users’ email addresses and phone numbers were exposed on the web.||July 21st, 2022||2:45 PM EST|
|GoodGamer secured their bucket and repaired the breach.||July 21st, 2022||3:45 PM EST|
VPNOverview’s security team notified GoodGamer through their online web form, and they repaired the breach in less than an hour.
GoodGamer did not respond to our requests for comments.
Gamers Face Heightened Risk of Targeted Attacks
The GoodGamer data breach — and data leaks like it — put affected users at a heightened risk of falling victim to cybercrimes. Information such as email addresses and phone numbers, coupled with financial information, leaves open the possibility of targeted phishing attacks.
Here, instead of mass-emailing random addresses, attackers could send specifically tailored phishing emails containing sensitive information to their targets. This adds legitimacy to the email, making it more likely that a target will fall for the trick.
This was evidenced in the Luna Moth campaign, which begins with a fake subscription renewal email, aimed at deceiving targets into clicking malicious links.
Emerging cybercrime trends in the NFT space
The affected users also could be the targets of NFT phishing attacks. GoodGamer has forayed into Play2Earn gaming with a game called Chosen Ones. It also has plans to create an NFT collection based on the game.
NFT scams are rising at an alarming rate as cybercriminals try to take advantage of the massive popularity surrounding NFT projects. In recent months, unsuspecting victims have received emails, Instagram DMs, and Discord chats from accounts impersonating legitimate projects such as Bored Ape Yacht Club (BAYC).
In light of these events, we recommend that the affected users watch out for suspicious emails or phone calls about gaming platforms or NFT drops. It is crucial to exercise caution even if the email or caller appears legitimate. Avoid clicking on any links or providing any information before you confirm the authenticity of the sender or caller.
Our detailed guide on avoiding phishing scams contains helpful tips on how you can spot potential schemes.
Don’t Play Games With Online Privacy
Good Gamer joins a long list of other companies that have been burned by AWS S3 buckets. In 2017, Upguard uncovered one of the biggest recorded leaks involving the information of 198 million American voters. More recently, our research team found that cosmetic giant Sephora left an S3 bucket unsecured, exposing the data of 490,000 customers.
Our team also worked with gaming giant Sega to secure sensitive files which were stored in a publicly accessible S3 bucket. Sega addressed the vulnerability before malicious actors exploited any information.
User safety should be a high priority for every platform and developer. However, even platforms with the best intentions can slip up from time to time. Since gamers are at a higher risk of cyberattack, it’s crucial they protect themselves online. Many of the breaches we find contain IP addresses associated with emails because developers track every player’s account.
“I’m not sure how anyone can read about a breach like this and not think about online privacy. These companies want every piece of information they can get for marketing and tracking. It’s up to all of us to protect ourselves whenever we connect to an online service,” Phillips said.