The startup that develops the phone app for casino giant WinStar has secured an exposed database that leaked customers’ personal information onto the open web.
Oklahoma-based WinStar bills itself as the “world’s largest casino” by square footage. The casino and hotel resort also offers an app, My WinStarin which guests can access self-service options during their hotel stay, reward points and loyalty benefits and casino winnings.
The app was developed by a software startup in Nevada called Dexiga.
The startup left one of its online logging databases password-free, allowing anyone who knows its public IP address to access the WinStar customer data stored inside using just their browser.
Dexiga took the database offline after TechCrunch alerted the company to the security flaw.
Screenshots of the My WinStar app. Image Credits: Google Play (screenshot)
Anurag Sena bona fide security researcher with a knack for uncovering sensitive data inadvertently exposed online found the database containing personal information, but it was initially unclear who owned the database.
Shen said the personal data includes full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and reveal the security flaw.
TechCrunch reviewed some of the exposed data and verified Sen’s findings. The database also contained a person’s gender and the IP address of the user’s device, according to TechCrunch.
None of the data was encrypted, although some sensitive data – such as a person’s date of birth – was redacted and replaced with asterisks.
A review of the exposed data by TechCrunch found an internal user account and password associated with Dexiga founder Rajini Jayaseelan.
Dexiga’s website says its technology platform powers the My WinStar app.
To confirm the source of the suspected leak, TechCrunch downloaded and installed the My WinStar app on an Android device and registered using a TechCrunch-verified phone number. This phone number immediately appeared in the exposed database, confirming that the database was connected to the My WinStar app.
TechCrunch contacted Jayaseelan and shared the IP address of the exposed database. The database became unreachable after a while.
In an email, Jayaseelan said Dexiga secured the database but claimed the database contained “publicly available information” and that no sensitive data was exposed.
Dexiga said the incident stemmed from a log migration in January. Dexiga did not provide a specific date when the database was disclosed. The exposed database contained rolling daily logs dating back to January 26 at the time it was secured.
Jayaseelan would not say whether Dexiga has the technical means, such as access logs, to determine whether someone else accessed the database while it was exposed online. Jayaseelan also would not say whether Dexiga has notified WinStar of the security flaw or whether Dexiga would notify affected customers that their information had been exposed. It is not immediately known how many people had personal data exposed by the data breach.
“We are investigating the incident further, continue to monitor our IT systems and will take the necessary future action accordingly,” Dexiga said in response.
WinStar CEO Jack Parkinson did not respond to TechCrunch’s emails seeking comment.
Read more at TechCrunch:
