Pierluigi Paganini January 12, 2024

Liquipedia, an online e-sports platform run by Team Liquid, exposed a database revealing its users’ email addresses and other details.

Users of the e-sports knowledge base were exposed via a publicly accessible and passwordless MongoDB database, the Cybernews research team has discovered. The database was closed after researchers informed Liquipedia’s admins about the issue.

Liquipedia is an encyclopedia on various video games, covering everything from history to tactics. The platform was founded and is run by Team Liquid, a Netherlands-based professional e-sports organization owned by aXiomatic Gaming, an e-sports and gaming enabler.

According to researchers, the leak revealed an authentication server with login details and information on Liquipedia’s users along with authentication details for Liquipedia admins.

However, following Cybernews’ ethical guidelines, the team did not access the server.

We have reached out to Liquipedia for comment but did not receive a reply before publishing.

A part of the exposed information was contained in a user collection weighing 77MB, containing data on nearly 119,000 users. The exposed Liquipedia user details include:

• User IDs
• User emails
• Email verification status
• Two-factor authentication status
• Account creation date

“The leaked information could be exploited for fraudulent activities, compromising the security and reputation of both the e-sports organization and its user base,” researchers said.

Alongside user information, administrator-level details were also present in the “clients” collection. Exposed information included social media secrets, pieces of sensitive information that authorize access to an environment, and private RSA keys.

RSA (Rivest–Shamir–Adleman) is an encryption system used for secure data transmission. Researchers surmised that secrets and private RSA keys were used to authenticate admin access to Liquipedia’s Reddit, Discord, Twitch, and X accounts.

Our team contacted Liquipedia in late October. The company responded on the same day and immediately took down the misconfigured MongoDB instance.

Liquipedia’s founder, Team Liquid, is among the most prestigious e-sports organizations in the world, with over two decades of experience. The team competes in several divisions, including Fortnite, Counter-Strike 2, Dota 2, League of Legends, StarCraft II, World of Warcraft, and others.

If you want to know more about the risks posed by the exposure of email and access credentials to social media sites take a look at the original post published by CyberNews:

https://cybernews.com/security/team-liquid-liquipedia-data-leak/

About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Team Liquid)