The phone app developed by startup Dexiga for WinStar, the world’s largest casino, had an exposed database exposing customers’ private information.
My WinStar, the app offered by WinStar, provides self-service options, rewards points, loyalty benefits, and casino winnings to its guests.
The irresponsible act of leaving a logging database accessible without a password by Dexiga prompted TechCrunch to alert the company to the security lapse, resulting in the database being taken offline.
Screenshots of the My WinStar app. Image Credits: Google Play (screenshot)
Good-faith security researcher Anurag Sen discovered the exposed database containing personal information and shared details with TechCrunch to disclose the security lapse.
The database contained unprotected personal data, including full names, phone numbers, email addresses, home addresses, and gender, with no encryption.
Despite Dexiga’s claim that no sensitive data was exposed, TechCrunch found evidence of a data spill involving Dexiga’s founder and internal user credentials associated with the exposed database.
After confirmation that the database was linked to the My WinStar app, TechCrunch contacted Dexiga, prompting the database to become inaccessible shortly thereafter.
However, Dexiga’s claim of exposed information being publicly available was contradicted by the lack of specific dates concerning the exposure and the internal account credentials found.
Furthermore, Dexiga’s failure to disclose whether other parties accessed the exposed database or notify affected individuals raises concerns about the security and privacy implications of the data spill.
As the investigation into the incident continues, Dexiga states that they will take necessary actions to address the breach, while WinStar remains unresponsive to requests for comments by TechCrunch.
Read more on TechCrunch:
