EskyFun data leak, over 1 million Android gamers impacted

vpnMentor’s researchers reported that the Chinese mobile gaming company EskyFun suffered a data breach, over 1 million gamers impacted.

vpnMentor’s researchers discovered that the Chinese mobile gaming company EskyFun suffered a data breach, information of over 1 million gamers were exposed on an unsecured server. 

EskyFun developed several Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M. The games affected in the data leak were: Rainbow Story: Fantasy MMORPG (500,000+ downloads); Metamorph M (100,000+ downloads); Dynasty Heroes: Legends of Samkok (1,000,000+ downloads).

“EskyFun’s server was storing a rolling log of the previous 7 days’ user records from 3 separate games. At the end of each day, any data older than 7 days was automatically deleted to make room for fresh data.” reads the data breach published by the researchers. “As a result, our investigation focuses on just 7 days’ worth of data and any players exposed in that short window. However, despite only covering 7 days, the server still contained over 360 million records from players. This is an enormous amount of data collected from a few small, not well-known mobile games.”On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.  

The experts pointed out that the gaming firm uses “aggressive and deeply troubling tracking, analytics, and permissions settings” collecting an impressive amount of data when users install their games.

vpnMentor reported that the server was containing 134GB of data, exposed records include:

• IP address
• IMEI number
• Mobile application package doing the tracking
• Device screen size – whether a device is ‘rooted’*
• Device model
• Phone number (if any)
• Platform (Android/iOS)
• NetType (WiFi or cellular)
• Events (open,login,level_up, etc)

The experts attempted to report their discovery to the gaming, but received no response, for this reason they also contacted the Hong Kong CERT to secure the data. The good news is that EskyFun secured the server on July 28.

“If you’re a player on any of EskyFun’s games and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.” concludes vpnMentor.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]