WinStar mobile app exposed unprotected database of customers' personal data

published: Feb. 10, 2024

Take action: One more time, a database exposed unprotected on the internet for scraping and abuse


Learn More

The WinStar casino in Oklahoma, claimed to be the "largest in the world by square footage", is hit with a significant data exposure incident through its mobile application, My WinStar.

The app, which offers hotel self-service options, loyalty rewards, and casino winnings visibility, was developed by Dexiga, a Nevada-based software startup. The incident occurred when Dexiga left a logging database unprotected on the internet, devoid of any password protection. Anyone who knew the database's public IP address to access sensitive customer data via a web browser.

The database contained:

  • customer full names,
  • phone numbers,
  • email addresses,
  • home addresses,
  • gender,
  • IP addresses.

Some data elements, such as dates of birth, were partially redacted, appearing as asterisks to protect sensitive information. An internal account and password associated with Dexiga founder Rajini Jayaseelan were also found among the exposed data.

Researher Anurag Sen made a responsible disclosure report to TechCrunch, who then reached out to Dexiga. Dexiga has quickly disabled public access to the database.

Dexiga attributed the exposure to a log migration process that took place in January, with the database containing logs dating back to January 26. They tried to downplay the incident by claiming that the database consisted of "publicly available information.The company has not provided specific details regarding the duration of the exposure or whether any unauthorized access occurred during that time.

The number of individuals affected by this data spill remains undisclosed, and Dexiga has not confirmed whether it will inform either WinStar or the impacted customers about the security lapse.

WinStar mobile app exposed unprotected database of customers' personal data