A security lapse at a Nevada-based software startup, Dexiga, has exposed the personal information of customers who use the My WinStar app, developed by the company for casino resort giant WinStar. The database, which was left without a password on the internet, contained sensitive data including full names, phone numbers, email addresses, and home addresses.
Who is Impacted?
WinStar, located in Oklahoma, boasts itself as the ‘world’s biggest casino’ by square footage. The casino and hotel resort offers an app called My WinStar, which allows guests to access self-service options during their stay, rewards points, and loyalty benefits, as well as casino winnings. Dexiga developed the app, but its security lapse has put customers’ private information at risk.
What Happened?
Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, stumbled upon the database containing personal information. Initially, it was unclear who the database belonged to, but further investigation revealed that it was linked to the My WinStar app.
Exposed Data
The database contained:
- Full names
- Phone numbers
- Email addresses
- Home addresses
- Individual’s gender
- IP address of the user’s device (unencrypted)
Some sensitive data, such as a person’s date of birth, was redacted and replaced with asterisks. None of the exposed data was encrypted.
Database Owner Confirmed
TechCrunch downloaded and installed the My WinStar app on an Android device and signed up using a phone number controlled by TechCrunch. This confirmed that the database was linked to the My WinStar app.
Response from Dexiga
Dexiga’s founder, Rajini Jayaseelan, claimed in an email that the exposed data contained ‘publicly available information’ and that no sensitive data was exposed. However, the investigation revealed that the database contained rolling daily logs dating back to January 26 at the time it was secured.
Security Lapse Explained
Jayaseelan stated that the incident resulted from a log migration in January. Dexiga did not provide a specific date when the database became exposed. When asked if Dexiga has the technical means, such as access logs, to determine if anyone else accessed the database while it was exposed to the internet, Jayaseelan remained silent.
Notification and Incident Response
Dexiga secured the database after being notified by TechCrunch. However, it is unclear if Dexiga has informed WinStar of the security lapse or will notify affected customers that their information was exposed.
Investigation and Future Actions
Dexiga stated in a response: "We are further investigating the incident, continue to monitor our IT systems, and will take necessary future actions accordingly." The exact number of individuals who had personal data exposed by the data spill remains unknown.
Related News
- Researchers say attackers are mass-exploiting new Ivanti VPN flaw
- Security flaw in a popular smart helmet allowed silent location tracking
- Government hackers preparing for war
Subscribe to TechCrunch
Get the latest tech news and updates delivered straight to your inbox. Subscribe to our daily or weekly newsletters today!
Subscribe
By submitting your email, you agree to our Terms and Privacy Notice.
Startups Weekly
Get the best coverage of startups delivered straight to your inbox every week.
TechCrunch Daily News
Get the latest news and updates from TechCrunch every weekday and Sunday.
