Following a failed update, the data of the creators of the Leetchi kitty were accessible from the kitty page. The fault was repaired on April 20, and the company is gradually notifying the people concerned.
Since the end of April, the French online jackpot company Leetchi has been warning some of its 14 million users that a “” has caused their personal data to leak.
Wow mail received at the moment from @Leetchiweb: “A technical error escaped our attention and led to a loss of confidentiality of your personal data (name, first name, date of birth, e-mail, GPS coordinates) made visible in the source code for your kitty page “pic.twitter.com/Jc5rOkhDwN
– Nassira El Moaddem (@NassiraELM) May 12, 2020
The first name, last name, date of birth, email as well as the GPS coordinates of the creators of prize pools have been set out in clear in the source code of the page specific to their prize pool. To get your hands on the data, you had to have access to this specific page.
For the many public pools, just use the site’s search engine. But access becomes more complicated for private pools, which are not indexed on search engines and whose link is only theoretically sent to participants.
Prize pools validated manually for a few days
Leetchi discovered the error on April 16, and fixed it on April 20. She feared that some accounts would be compromised: “,” said the company, contacted by Numerama.
The delivery times for the prize pools therefore lagged behind the usual rate, but no fraudulent expenditure of the prize pool was detected. The company adds that the funds collected, bank details and passwords are not affected by the leak.
The French giant of pots has followed the legal process framed by the General Data Protection Regulations: he opened a file with the Cnil (the French authority on data management), then warned the persons concerned, as foreseen in the text.
New layout of the “I participate” button compromised page security
Leetchi gave us additional information on the origin of the leak: “”.
This kind of situation is relatively common: developers deploy new functionality on their site, which changes several parameters – including those related to its security – but they forget to immediately check each of them.
All the creators of prize pools have been exposed
The severity of the leak will largely depend on the organization’s ability to spot and repair it quickly, before malicious people can get their hands on it. There are all kinds of automatic detection tools for this.
Since she has identified the source of the problem, Leetchi should be able to estimate how long the fault was open. Numerama asked them for this estimate, as well as the number of people concerned. Among our witnesses, some people had created their last Leetchi kitty in 2016 and all the creators of kitty seem to have been exposed.
An explosive cocktail of data, but no bank data
Email, identity and GPS coordinates have leaked: in the wrong hands, this is an explosive data cocktail. It would, for example, allow better targeting of certain basic attacks, such as phishing. Potential hackers would also know the name of the pot, which can be valuable information in addition, especially for financial scams.
Email is a part of your online identity, which allows you to link all kinds of information (interests, associates, activities, etc.) to your person. For example, just find out if your email address is in large data breaches like LinkedIn or Facebook to find a whole list of data about you. Emails are therefore particularly sought after, in large volumes, on the black markets. They are also the raw material for phishing campaigns, a self-sufficient kind of cyber attack, but also a gateway to more virulent attacks.
The question mark around GPS data
In addition to the identity and email, the company also reports that GPS coordinates have been leaked. Depending on their volume and quality, they can be used to find the victim’s address and place of work, or even to move around. We therefore asked Leetchi to specify what GPS data it collects, and we await their response.
The company has yet to tell us whether it detected suspicious activity around the leak.
Headline photo credit: Louise Audry for Numerama
ExpressVPN, Cyberguerre’s exclusive advertiser, is a premium VPN provider. It has thousands of secure servers spread across the world, allowing it to relocate its IP address and bypass geoblocks. ExpressVPN does not keep track of user activity. Its VPN application, available on computer, mobile and router, is one of the most advanced on the market.
More information on the ExpressVPN VPN solution
Share on social media