The startup that develops the phone app for casino giant WinStar has secured an exposed database that was broadcasting customers' private information across the open web.
WinStar, based in Oklahoma, bills itself as the “world’s largest casino” in terms of area. The casino and resort hotel also offer an app, My WinStarin which guests can access self-service options during their hotel stay, their reward points and loyalty benefits, and casino winnings.
The app is developed by a Nevada software startup called Dexiga.
The startup left one of its Internet logging databases without a password, allowing anyone who knows its public IP address to access WinStar customer data stored there using only their web browser.
Dexiga took the database offline after TechCrunch alerted the company to the security breach.
Anurag Sena bona fide security researcher with a knack for uncovering sensitive data inadvertently exposed on the Internet, found the database containing personal information, but it was initially unclear who owned the database.
Sen said the personal data included full names, telephone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security flaw.
TechCrunch reviewed some of the exposed data and verified Sen's findings. The database also contained an individual's gender and the IP address of the user's device, TechCrunch found.
None of the data was encrypted, although some sensitive data, such as a person's date of birth, was redacted and replaced with asterisks.
A review of the exposed data by TechCrunch revealed an internal user account and password associated with Dexiga founder Rajini Jayaseelan.
Dexiga's website says its technology platform powers the My WinStar app.
To confirm the source of the suspected spill, TechCrunch downloaded and installed the My WinStar app on an Android device and registered using a phone number controlled by TechCrunch. This phone number instantly appeared in the exposed database, confirming that the database was linked to the My WinStar app.
TechCrunch contacted Jayaseelan and shared the IP address of the exposed database. The database became inaccessible shortly after.
In an email, Jayaseelan said Dexiga had secured the database, but claimed the database contained “publicly available information” and that no sensitive data had been exposed.
Dexiga said the incident was the result of a log migration in January. Dexiga did not provide a specific date when the database was exposed. The exposed database contained continuous daily logs dating back to January 26 when it was secured.
Jayaseelan would not say whether Dexiga has the technical means, such as access logs, to determine whether anyone else accessed the database while it was exposed on the Internet. Jayaseelan also did not say whether Dexiga had informed WinStar of the security breach or whether Dexiga would notify affected customers that their information had been exposed. It was not immediately clear how many people had their personal data exposed by the data breach.
“We are further investigating the incident, continue to monitor our IT systems and will take necessary future actions accordingly,” Dexiga said in response.
WinStar Chief Executive Jack Parkinson did not respond to emails from TechCrunch seeking comment.
Read more on TechCrunch: