Posted on: November 16, 2023, 06:50h.

Last updated on: November 16, 2023, 06:50h.

One of Mexico’s leading online casinos, Strendus, has fallen victim to a major data breach, leaving sensitive user data exposed to unauthorized actors. However, the breach wasn’t the result of an external attack – someone in the company allegedly forgot to set a password on the server.

Strendus, the online gaming platform of the Mexican conglomerate Logrand Entertainment Group, allegedly offered public access to 85GB of its server authentication logs. These contain hundreds of thousands of entries with private information about gamblers.

The exposed data, discovered by the Cybernews research team, included users’ true identities, home addresses, occupations, deposit histories and more. Compounding the severity of the breach, data from another online casino, MustangMoney, was also found within the open instance.

Careless and Dangerous Oversight

Cybernews, which employees a team of white hat hackers to scour the web for problems like this, highlighted the potential risks associated with the exposed information. It emphasized that the careless oversight could be exploited for fraudulent activities, identity theft or phishing attempts. It can even serve as a valuable resource for meticulously targeted cyberattacks.

The researchers identified Indicators of Compromise (IoC) within the server log entries, indicating a security incident or breach. The absence of regular monitoring for such indicators further heightened the risks for users. While the research points to a possible theft of data, there is no hard evidence that anything was taken.

Of particular concern is the delay in addressing the issue, as the breach was first identified by Cybernews in April. However, the company only took action to rectify the situation in October. The prolonged period of exposure underscores the potential threat to users who had their personal information laid bare for months.

Online casinos store extensive amounts of customer data to comply with gambling laws and adhere to Know Your Customer (KYC) regulations. These regulations are designed to verify the identity of users, preventing fraud, money laundering and other illicit activities. However, the recent breach raises questions about the effectiveness of security measures implemented by these platforms.

The onus is on companies to prioritize and enhance their security protocols to protect their users from potential harm. However, there appears to be no indication that Strendus took the flaw seriously.

Cybernews and Casino.org have made repeated attempts to talk to someone at Strendus. However, neither has received a response.

Cyberattacks on the Rise

The alarming rise in cyberattacks is evident with recent breaches targeting major entities like MGM Resorts International, Caesars Entertainment and (possibly) Marina Bay Sands. These high-profile incidents underscore the escalating threat posed by cybercriminals.

While countries are increasingly joining forces to counter these attacks, hackers are adept at evolving their tactics and tools, presenting a formidable challenge to cybersecurity efforts. The attack on MGM Resorts exposed personal details of over 10 million guests, highlighting the severity of breaches in the hospitality sector.

Similarly, the breaches at Caesars Entertainment and Marina Bay Sands emphasized the vulnerability of even the most prominent organizations to sophisticated cyber threats. As countries collaborate to enhance cybersecurity measures, the dynamic nature of cyber threats necessitates continuous innovation to stay ahead of increasingly intelligent and adaptable hackers. This also means taking measures to ensure they don’t have free and unfettered access to company equipment.