Game Developer Exposed 42 Million Records

Chinese Game Developer Exposed 42 Million Records Online

Last updated on April 14, 2021

Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a massive leak of over 40 million gamer records by a Chinese game development company. Here are his findings: 

On August 27th I discovered a non-password-protected database that contained a massive 42 million records. Upon further investigation, the records were connected to a Chinese game developer called Feeling Touch and hosted on a US based Alibaba server. There were IP addresses, device information, and user records from all over the world. According to Feeling Touch’s website, their games have over 300 million downloads.

The internal records were very detailed and indicated that these were production logs. There were recorded actions such as login time and duration, as well as what the user was doing in the games. These are obviously valuable analytics that help to identify strengths and weaknesses in the apps. There were also device names, IDs, app versions, OS data, and a unique code called “Tracker”.

I immediately sent a responsible disclosure notice to Feeling Touch and included details of the discovery. Public access to the database was restricted the following day. On September 2nd I sent a follow-up message and did not receive a response to either message. It is unclear how long the data was exposed or who else may have gained access to the millions of records.

Chinese Tech Firms Are Under The Microscope

In the United States, the Trump administration has been making threats to ban WeChat and TikTok from the American market. This will likely be a long battle played out in the court system but it sends a clear message that the environment is changing. There this is a major focus now on Chinese technology companies and how they collect or store data. Earlier in September, The U.S. Department of Commerce sent letters to gaming companies like Epic Games, Riot Games, and others about their data-security policies and connections to Chinese investments. There is additional scrutiny on how foreign-owned companies handle the personal data of U.S. customers and users.

I am not implying that any wrongdoing by Feeling Touch Games nor am I suggesting that they are sharing this or any data with the Chinese Government. I am only highlighting my discovery to raise awareness and notify users that there was a breach.

Data exposures can happen to companies large and small and it doesn’t matter where they are located. This is yet another wakeup call for companies who collect and store data to take every precaution to protect their user data and internal records. As customers and users of games or applications, we must be more aware of how we share our data and who we are giving our personal information to. Unfortunately, a privacy policy or terms and conditions do not always clearly explain how your data is being used.

According to their website:

“Feelingtouch is a company committed to producing high quality and innovative mobile games across both the Google Play and IOS platforms. Our first release, Eagle’s Nest went live in 2010 and has subsequently over 11 million downloads. In our current library of more than 40 titles”.

42 million gamer records exposed

What was discovered:

  • 42,225,548 Total records exposed.
  • Production records that contain internal information such as configuration records, logging, and Security Tokens.
  • User IPs, GPS location data, City, Country, and connection type.
  • Hashed User Data using non-secure MD5 encryption algorithm.
  • “Tracker” ID numbers and detailed actions including interactions, logins, time spent.

Hashed But Not Secure

MD5 is a cryptographic algorithm that can take data such as a name, password or other sensitive data and create a “string” of characters. This way if the data is exposed or compromised the logic is that whoever has access will not have the information in plain text. The danger of using MD5 is that it is no longer secure and there are huge databases where the string could be broken or solved easily. Despite well-known vulnerabilities and being introduced in 1992, sadly some organizations are still using MD5.

It appears that all of Fellingtouch’s games are free and have ads or in-app purchases. When it comes to technology, free is usually never free. Data is the new oil and is often as valuable as the products or services a company provides. Feelingtouch Technology Ltd is based in Hangzhou, China and no one replied to my messages or gave any statements at the time of publication.

Article comments