EskyFun data leak, over 1 million Android gamers impacted

vpnMentor’s researchers reported that the Chinese mobile gaming company EskyFun suffered a data breach, over 1 million gamers impacted.

vpnMentor’s researchers discovered that the Chinese mobile gaming company EskyFun suffered a data breach, information of over 1 million gamers were exposed on an unsecured server.

EskyFun developed several Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M. The games affected in the data leak were: Rainbow Story: Fantasy MMORPG (500,000+ downloads); Metamorph M (100,000+ downloads); Dynasty Heroes: Legends of Samkok (1,000,000+ downloads).

“EskyFun’s server was storing a rolling log of the previous 7 days’ user records from 3 separate games. At the end of each day, any data older than 7 days was automatically deleted to make room for fresh data.” reads the data breach published by the researchers. “As a result, our investigation focuses on just 7 days’ worth of data and any players exposed in that short window. However, despite only covering 7 days, the server still contained over 360 million records from players. This is an enormous amount of data collected from a few small, not well-known mobile games.”On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.

The experts pointed out that the gaming firm uses “aggressive and deeply troubling tracking, analytics, and permissions settings” collecting an impressive amount of data when users install their games.

vpnMentor reported that the server was containing 134GB of data, exposed records include:

IP address
IMEI number
Mobile application package doing the tracking
Device screen size – whether a device is ‘rooted’*
Device model
Phone number (if any)
Platform (Android/iOS)
NetType (WiFi or cellular)
Events (open,login,level_up, etc)

The experts attempted to report their discovery to the gaming, but received no response, for this reason they also contacted the Hong Kong CERT to secure the data. The good news is that EskyFun secured the server on July 28.

“If you’re a player on any of EskyFun’s games and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.” concludes vpnMentor.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.