Big gaming company leaks 365 million records from 1 million gamers’ phones

Researchers Noam Rotem and Ran Locar from security firm vpnMentor revealed the detection of a massive data breach belonging to EskyFun, a Chinese company dedicated to the development of mobile video games with iOS and Android systems. Apparently, the information was leaked due to the use of an insecure server to store these logs, not to mention that this is highly confidential information.

The investigation is ongoing, although it is already mentioned that the incident could have affected up to 1.5 million people, who would be exposed to identity theft, wire fraud and other risks. Among those affected are all users of mobile games such as Rainbow Story: Fantasy MMORPG, Dinasty Heroes: Legends of Samkok and Metamorph M.

The information exposed was discovered on June 5 and, although investigators tried to contact the company on more than one occasion between July 7 and 27, there was no response from EskyFun.

Finding no response from the company, the team notified CERT Hong Kong, the government entity responsible for addressing cybersecurity incidents in that territory. By the time CERT Hong Kong acknowledged the incident, the database had already been secured, although it is not known exactly when it occurred.

On the compromised data, experts point out that EskyFun’s games are enabled to track any process while they are running, thus are allowed by the company to collect all kinds of logs from the devices on which its games were installed. These records include:

  • IP address
  • IMEI Key
  • Device screen resolution to determine if it is a rooted smartphone
  • Device model
  • Phone number
  • Operating system
  • Type of network connection
  • Events (volume up/down, logins, screen locks, etc.)

In addition to this extensive collection of details, EskyFunk’s apps requested lots of permissions for their installation, gaining almost total control over any aspect of users’ devices. Among these permissions, the researchers detected:

  • Access to external storage content
  • Access to Bluetooth settings
  • Access to other running applications
  • Modification of audio settings
  • Microphone access, calls and contact list
  • Request to install packages
  • Push notifications

As in any data breach incident, leaking this information could expose users to attempts at identity fraud, phishing, and other variants of cybercrime, not to mention that the company accesses more information than it needs.

To prevent these attacks, users are advised to ignore any message apparently sent by the company asking them to hand over sensitive information such as access keys to digital platforms and financial details. On the other hand, if you do not want these applications to access the registries of your system, it would be best to uninstall the games developed by EskyFunk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.