The developers of popular Android gaming apps in China exposed sensitive information of users through an unsecured server, security researchers revealed.
The vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, revealed that EskyFun exposes a 134 GB server with highly sensitive information publicly available online.
Eskyfun is the Chinese developer of Android games such as Rainbow Story: Fantasy MMORPG, The Legend of The Three Kingdoms, and Adventure Story.
The vpnMentor’s team revealed that the data leak affected users of several games, including Metamorph M, Dynasty Heroes: Legends of Samkok, and Rainbow Story, totaling over 1.6 million downloads.
vpnMentor said that the records included details about users’ activities from June 2021 onward, all in all 365,630,387 records.
The team says that the developers’ practices have raised concerns about the amount of data that they collect due to “aggressive and deeply troubling tracking, analytics, and permissions settings.” Normally, you would not expect mobile games to collect such types of data.
The records included details about the devices used, their IMEI numbers, game purchases, transaction reports, and the OS used. They also contained email addresses and EskyFun account passwords stored in plaintext.
vpnMentor believes that up to a million users’ information was exposed.
The incident was discovered on July 5. It was then reported to EskyFun on July 7 and 27. EskyFun was unresponsive according to vpnMentor.
“Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users,” the researchers commented. “Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse.”