The Progress Data of 1,00,000 Players Was Exposed by the RPG Guidus
- Written by Ari Denial Cybersecurity & Tech Writer
Guidus, a popular mobile role-playing game (RPG), leaks information about its users’ game progress.
Cybernews researched and discovered that the sensitive data had been hardcoded into the Guidus app, exposing it to data leaks. There are over 100k downloads of Guidus on the Google Play App store. It is a famous pixel RPG game for mobile devices. Over 16k reviewers have given this app a rating of 4.2 out of 5. The game requires the player to fight their way through dungeons to reclaim the palace and rescue the true heir to the kingdom.
The game had a good reputation and appeared to be a legitimate application, but now it has been confirmed that millions of users’ game progress data have been leaked. “The app spilled information about users’ game progress, including anonymized tokens used by gamers as ‘in-game’ curries and as digital markers to track progress. If the data leaked had not been backed up and a malicious actor had chosen to delete it, it is possible that the user’s progress in the game would have been permanently lost without the possibility of recovery,” said Cybernews.
“Hardcoding sensitive data into the client side of an Android app is a bad idea, in most cases, it can be easily accessed through reverse engineering,” they added. The hackers might be able to access even more sensitive data about the player if they can access those keys.
Here are the keys found hardcoded into the client side of the app:
- firebase_database_url, gcm_defaultSenderId
- default_web_client_id, google_api_key
- google_app_id
- google_crash_reporting_api_key
- google_storage_bucket
According to Cybernews, over 33,000 Android apps were analyzed earlier this year and the most sensitive hardcoded secrets left exposed were API keys used to authorize projects, Firebase dataset links, and Google Storage buckets.
Business, lifestyle, health and fitness, tools, and education are the top five app categories that contain the most hardcoded personal data.
Puma Investigates Data Leak Allegations Involving More Than 2,30,000 Customers
- Written by Ari Denial Cybersecurity & Tech Writer
A hacker forum allegedly contained the private data of over 230k Puma customers in Chile.
In January 2023, a hacker listed an 84MB dataset allegedly belonging to Puma for sale. According to Cybernews, “the leaked database included customers’ names and contact information, such as emails, telephone numbers, and billing and shipping addresses. It also contained details about their purchases – order numbers, payment methods, total monies paid, shipping costs, and discounts.”
According to the cybercriminals behind the dataset listing, it comes from Puma’s Chilean e-commerce website, but Cybernews was unable to verify this independently as of 3 February 2023.
Threat actors can launch targeted phishing attacks using Puma’s alleged data leak. Using the information found in this dump, they could send texts and emails pretending to be from Puma, and use valid order numbers and names. Additionally, they may be able to use this information in conjunction with partial credit card information that has been leaked previously to make purchases with the victim’s card, said a Cybernews researcher, Aras Nazarovas.
As a result of a ransomware attack on Kronos, one of Puma’s Human Resource management providers, Puma suffered a data breach in 2022. Kronos was breached by ransomware in December 2021, disrupting payroll processing and staff management.
As per Cybernews, Hackers gained access to employees’ personal data, including social security numbers, as a result of the massive attack. In the US, employees were left without salaries for weeks afterward.
Research by Cybernews shows that e-commerce websites are easy targets for cybercriminals, which is why leaks like these happen frequently. Increasingly, threat actors are trying to exploit such sites, so developers should ensure that security measures are implemented.
