‘World’s biggest casino’ app exposed customers’ personal data

A security lapse exposed WinStar casino app users’ data. Dexiga, the app developer, left a database unprotected, revealing names, phone numbers, addresses, and more. The issue is under investigation.

Data Breach Hits WinStar's My WinStar App Developed by Dexiga (Image: Tripadvisor)
Data Breach Hits WinStar’s My WinStar App Developed by Dexiga (Image: Tripadvisor)

Security Lapse Exposes WinStar Casino App Users’ Private Information

In a recent security lapse, an unprotected database belonging to the My WinStar app, developed by Nevada-based startup Dexiga for the renowned casino resort giant WinStar, has exposed sensitive customer information to the open web.

Background: WinStar, the World’s Biggest Casino

WinStar, based in Oklahoma, proudly touts itself as the “world’s biggest casino” based on square footage. Alongside its extravagant casino offerings, WinStar provides an app called My WinStar, developed by Dexiga, allowing guests to manage their hotel stay, access rewards points, loyalty benefits, and view casino winnings.

The Exposure: A Database Left Unprotected

Dexiga, in a critical oversight, left one of its logging databases unprotected on the internet, accessible without a password. This lapse allowed anyone with knowledge of its public IP address to freely access and peruse the personal data of WinStar customers using just a web browser.

Security researcher Anurag Sen discovered the exposed database, which included full names, phone numbers, email addresses, home addresses, gender information, and even the IP addresses of users’ devices. Disturbingly, the data was found to be unencrypted, although certain sensitive information, such as dates of birth, was redacted.

TechCrunch independently verified Sen’s findings and discovered an internal user account and password associated with Dexiga founder Rajini Jayaseelan. Dexiga’s website confirms that its tech platform powers the My WinStar app.

Security Response and Clarifications from Dexiga

Upon being alerted by TechCrunch, Dexiga promptly took the exposed database offline. In an email response, Jayaseelan claimed that the database only contained “publicly available information” and asserted that no sensitive data was compromised. Dexiga attributed the incident to a log migration that occurred in January but did not specify when the database became exposed.

Dexiga’s founder did not disclose whether the company has the technical capability to track if other unauthorized parties accessed the database during its exposure. Furthermore, there is no information on whether Dexiga has informed WinStar about the security lapse or if affected customers will be notified of the data exposure. The extent of the impact on the number of individuals affected remains unknown.

Verification and Confirmation: My WinStar App Link Established

To confirm the source of the exposed data, TechCrunch went a step further and downloaded the My WinStar app on an Android device, signing up using a phone number controlled by the publication. Almost instantly, this phone number appeared in the exposed database, conclusively linking the database to the My WinStar app.

As of now, Dexiga is investigating the incident and states that they are actively monitoring their IT systems. However, they have not provided details on the specific actions they plan to take in response to the security lapse. WinStar’s general manager, Jack Parkinson, has not responded to TechCrunch’s emails seeking comments on the matter.

Google News Icon

Add Slash Insider to your Google News Feed

Source: Techcrunch

The information above is curated from reliable sources and modified for clarity. Slash Insider is not responsible for its completeness or accuracy. We strive to deliver reliable articles but encourage readers to verify details independently.