A startup developing a phone app for casino resort giant Winstar has secured an exposed database that spills customers' private information onto the open web.
Oklahoma-based Winstar claims to be the “largest casino in the world,” according to Square Footage. The casino and hotel resort also offers an app called MyWinStar, where guests can access self-service options, their reward points and loyalty benefits and casino winnings during their hotel stay.
The app was developed by Dexiga, a Nevada software startup.
The startup left one of its logging databases on the Internet without a password, allowing anyone with knowledge of its public IP address to access WinStar customer data stored only in their web browser.
Dexiga took the database offline after TechCrunch alerted the company to the security flaw.
Anurag SenA bona fide security researcher who specializes in finding sensitive data accidentally exposed on the Internet discovers a database containing personal information, but it is initially unclear who owns the database.
Personal data includes full names, phone numbers, email addresses and home addresses, Sen said. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security flaw.
TechCrunch took a look at some of the exposed data and confirmed Sen's findings. The database also includes a person's gender and the IP address of the user's device, TechCrunch found.
None of the data is encrypted, but some sensitive data — like a person's date of birth — is redacted and replaced with asterisks.
A review of the data disclosed by TechCrunch found an internal user account and password associated with Dexiga founder Rajini Jayaseelan.
Dexiga's website says its tech platform powers the My WinStar app.
To confirm the source of the suspected spill, TechCrunch downloaded and installed the My WinStar app on an Android device and signed up using a phone number controlled by TechCrunch. That phone number immediately appeared in the exposed database, confirming that the database was linked to the My WinStar app.
TechCrunch contacted Jayaselan and shared the IP address of the exposed database. After a while the database became unavailable.
In an email, Jayaseelan said Dexiga had secured the database, but said the database contained “publicly available information” and that no sensitive data had been exposed.
Dexiga said the incident was due to a log migration in January. Dexiga did not provide a specific date when the database was revealed. The exposed database contains rolling daily logs from January 26, when it was secured.
Jayaseelan did not say if Dexiga had technical means, such as access logs, to determine whether someone else had accessed the database when it was exposed to the Internet. Jayaseelan also did not say whether Dexiga notified Winstar of the security breach or whether Dexiga would notify affected customers that their information had been exposed. It was not immediately known how many people had personal data exposed through the data spill.
“We are investigating this incident further, will continue to monitor our IT systems and will take any necessary future actions accordingly,” Dexiga said in response.
WinStar general manager Jack Parkinson did not respond to TechCrunch's emails requesting comment.
Read more about TechCrunch: