- After TechCrunch alerted Dexiga to the security breach, the company shut down the database.
- TechCrunch reviewed the leaked data and found an internal user account and password linked to Dexiga founder Rajini Jayaseelan.
- Jayaseelan did not say whether Dexiga had the technical means to determine whether anyone else accessed the database while it was exposed to the Internet.
WinStar, based in Oklahoma, bills itself as “the world’s largest casino. Casino and hotel resorts also offer an app, My WinStar, where guests can access self-service options, their reward points and loyalty benefits, as well as casino bonuses during their hotel stay.
Data breach
WinStar, a startup that develops mobile phone apps, has obtained an exposed database that leaks customers’ private information onto the open web.
The app was created by a software startup in Nevada called Dexiga. The startup left a database of logs on the Internet without passwords, and anyone who knew its public IP address could use their web browser to access the WinStar customer data stored in it.
After TechCrunch alerted Dexiga to the security breach, the company shut down the database. Anurag Sen, a bona fide security researcher with an eye for unintentionally exposing sensitive data on the Internet, discovered that the database contained personal information, but it was not initially clear who the database belonged to.
Anurag Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the compromised database with TechCrunch to help identify its owner and disclose the security flaw. TechCrunch examined some of the exposed data and confirmed Sen’s findings. TechCrunch found that the database also contained the gender of the individual and the IP address of the user’s device. None of the data was encrypted, but some sensitive data – such as a person’s date of birth – was edited and replaced with an asterisk.
The Dexiga operation
TechCrunch reviewed the leaked data and found an internal user account and password linked to Dexiga founder Rajini Jayaseelan. Dexiga’s website says its technology platform powers the My WinStar app.
To confirm the source of the suspected leak, TechCrunch downloaded and installed the My WinStar app on an Android device and registered it using a phone number controlled by TechCrunch. The phone number immediately appeared in the exposed database, confirming that the database was linked to the My WinStar application.
TechCrunch contacted Jayaseelan and shared the IP address of the exposed database. Soon after, the database became inaccessible.
Jayaseelan said in an email that Dexiga secured the database, but claimed it contained “publicly available information” and no sensitive data was compromised.
Desiga said the accident was caused by a log migration in January. Dexiga did not provide a specific date for the database exposure. The exposed database contains a rolling daily log dating back to January 26, when it was secured.
Jayaseelan did not say whether Dexiga had technical means, such as access logs, to determine whether anyone else accessed the database while it was exposed to the Internet. Jayaseelan also would not say whether Dexiga had notified WinStar of the security breach or whether Dexiga would notify affected customers that their information had been compromised. It is unclear how many people’s personal data were exposed as a result of the data breach.
Desiga responded: “We are further investigating the incident, continue to monitor our IT systems and will take necessary action in the future.”
Also read: Samsung Galaxy S24 series camera leaks spark debates on pixel count and zoom range
