An online casino group based in Cyprus and the Caribbean island of Curaçao left information on 108 million bets exposed on its server, before it was taken down.
ZDNet reported that the Elastic Search server, used by websites for indexing and search purposes and typically installed on internal networks, had been left without a password, allowing for the data to be leaked.
Security researcher Justin Paine had come across the exposed server, by which he determined that the data was from an online betting group handling multiple websites. The games included “classic cards and slot games,” among other types, according to the article.
Among the domains named were kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, owned by several companies, some housed in the same building in Limassol, Cyprus. Others were operating under the same license number issued by the Curaçao government.
The betting information included current bets, wins, deposits, and withdrawals. Payment details were available in “partially redacted” form.
Connected with such information were names, physical addresses, email addresses, phone numbers, birthdays, usernames, account balances, IP addresses, browser and operating system details, time of last log-in, and games played.
ZDNet sought comment from the online portals mentioned in the data, but had yet to receive a reply as of publication. Paine said of the server going offline, “It’s down finally. Unclear if the customer took it down or if [cloud provider] OVH firewalled it off for them.”
While there are several licensed land-based casinos operating in Cyprus, online gambling remains limited to sports betting.
Curaçao’s Gaming Control Board (GCB), previously confined to regulation of land-based operations, has announced it would add online gambling to its oversight as well. The changes have long been expected, with Dutch officials discussing tighter monitoring of firms back in mid-2016. The GCB hopes that with it at the helm, “illegal providers” could be dealt with better.
