In a report shared with ZDNet by vpnMentor’s security researchers, it was noted that the developer of games like Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok had a server with all kinds of information on its users that wasn’t properly locked down.
The games in question have been downloaded more than 1.6 million times, which is where the estimated one million user figure comes from. The data contained 365,630,387 records from June 2021 onward.
The most troubling part of the leak is the sort of information contained. EskyFun has what the team at vpnMentor calls “aggressive and deeply troubling tracking, analytics, and permissions settings.” That means the company was collecting far more data than seemed necessary for a mobile game.
Some of the data collected include IMEI numbers, IP addresses, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted, email addresses, purchase records for the game, account passwords stored in plaintext, and support requests. It’s a shocking amount of data that was apparently left out in the open.
The team of researchers spoke about the issue and said, “Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users. Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse.”
There were multiple attempts to reach EskyFun about the hole by the researchers, and when they didn’t receive a response, they ultimately had to reach out to Hong Kong CERT to secure the server. As of July 28, the hole was closed, but the damage may have already been done.