Strendus online casino leaks customer data due to unprotected logs
Take action: Exposing customer data through an unprotected database online is an injury of customer trust. But ignoring notifications and leaving the database exposed for months is a flagrant insult.
Learn More
Strendus, a major online casino in Mexico, inadvertently exposed critical user information. Casinos, by nature, hold vast quantities of personal data to comply with Mexican legal and regulatory standards, including stringent Know Your Customer (KYC) protocols, thereby being prime targets for cyber-attacks.
The data set included
- names
- residential addresses
- gambling expenditures
- CURP numbers (a unique identity code for citizens in Mexico)
- Phone contact numbers
- IP addresses
The number of affected individuals is not clear.
The breach was discovered by cybersecurity media research team, which found that Strendus had left 85GB of authentication logs publicly accessible. These logs, teeming with sensitive user data, also included records from another online casino, MustangMoney.
The researchers located indices labeled as “hacked[_id]” within the Elasticsearch database, which are probable signs of a security breach, indicating unauthorized log access.
The unsecured database was initially found on April 7th, and although Strendus was notified immediately, the vulnerability persisted until mid-October. The data had been accessible since at least March 8th, 2023, as indicated by Internet of Things (IoT) indexing.
The company in charge of the casinos has not yet issued a statement. This oversight in authentication security is alarming, given the ease with which attackers could exploit such data.
