Latest News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Reading Time: 3 minutes
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Source: Latest News on European Gaming Media Network
This is a Syndicated News piece. Photo credits or photo sources can be found on the source article: MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Reading Time: < 1 minute
Tis the season to give back to players with supersized weekly races, massive ticket drops, and the return of the Mini Online Super Series
ACR Poker is kicking off the holiday season in style, officially crowning December as Player Appreciation Month and celebrating its community with $500,000 in giveaways, offering something for every type of player.
Throughout December, ACR Poker’s biggest weekly races – The Beast, Sit & Crush, and Blitz Beast – are getting a serious glow-up as part of Player Appreciation Month. Each week from Saturday, November 29th to Friday, January 2nd, the prizes will be supersized. There will also be a sleigh-load of free tournament tickets dropped throughout December, giving players more chances to score big without spending a dime.
And starting Wednesday, December 17th, the Mini Online Super Series (MOSS) returns to close out Player Appreciation Month. There will be a full schedule of events with buy-ins from $0 to $109 and massive guarantees offered, with the full details released soon.
“I love that ACR is turning the whole month into one big holiday party and giving players a little extra cheer,” said ACR Pro Chris Moneymaker. “Giving back to the players who make this community is a great way to wrap up the year. Alongside supersized races, ticket giveaways and the Mini Online Super Series, players should also keep an eye out for something big from ACR on December 9th during WSOP Paradise. Stay tuned.”
Whether players are grinding tournaments, splashing in cash games, or simply logging in for some holiday fun, December is shaping up to be the most wonderful time of the year at ACR Poker.
For more information about Player Appreciation Month, visit ACRPoker.eu.
The post ACR POKER CROWNS DECEMBER ‘PLAYER APPRECIATION MONTH’ WITH $500,000 IN GIVEAWAYS appeared first on European Gaming Industry News.
Reading Time: < 1 minute
The post INTRALOT Announces Nine Month 2025 Financial Results appeared first on European Gaming Industry News.
Reading Time: 2 minutes
The Board of Kambi Group plc has decided to again exercise the buyback mandate which was received at the Extraordinary General Meeting on 18 June 2025 to initiate a share repurchase programme with a total value of SEK 100 million (€9m) which will run until 20 May 2026.
In line with its capital allocation strategy and empowered by the mandate received at Kambi’s Extraordinary General Meeting on 18 June 2025 (EGM) the board of directors (Board) of Kambi Group plc (Kambi) has today initiated a share repurchase programmes with a total value of SEK 100 million (€9m).
The programme will run from the date of this announcement until 20 May 2026 and shares acquired will be cancelled at a future date. The maximum number of shares that may be acquired is 1,672,887, and the aggregate purchase price for such acquisitions shall not exceed SEK 100 million (€9m). The aggregate number of shares that may be acquired under the mandate received at Kambi’s EGM is 2,990,362, which is equivalent to 10% of Kambi’s total issued shares at the time of the EGM resolution.
The buyback programme will be carried out in accordance with the Maltese Companies Act (chapter 386 of the laws of Malta), the Nasdaq First North Growth Market Rulebook for Issuers of Shares, the EU Market Abuse Regulation (EU No 596/2014) (MAR), and Commission Delegated Regulation (EU) 2016/1052 (the Safe Harbour Regulation). The share buyback programme is intended to benefit from the share buyback safe harbour provisions set out in MAR. To this end Kambi has entered into an agreement with Carnegie Investment Bank AB (Carnegie) to execute the buyback programmes and conduct the share repurchases on Kambi’s behalf.
The acquisition of shares shall take place on one or several occasions on Nasdaq First North Growth market in Stockholm (Nasdaq First North) and Carnegie will make its trading decisions in relation to Kambi’s shares independently of and without influence by Kambi. Payments for the shares are to be made in cash.
The programme will be effected in compliance with the trading conditions set out in article 3 of the Safe Harbour Regulation. In particular, Kambi shall not, on any single trading day, purchase more than 25% of the average daily share turnover on Nasdaq First North. The average daily share turnover is calculated on the basis of the average daily trading volume during the twenty trading days preceding the respective purchase date. In addition, share repurchases under each programme shall:
- not be made at a price higher than the price of the last independent trade or (should this be higher) higher than the current highest independent purchase bid on Nasdaq First North,
- be made at a price per share within the price interval recorded on Nasdaq First North at any given time, i.e. the interval between the highest buying price and the lowest selling price, and
- not exceed or fall below the maximum and minimum ranges set out in the EGM resolution.
At the time of this announcement, the total number of issued shares in Kambi is 29,903,619. Kambi currently holds 2,193,675 of its own shares from prior buyback programmes which will be cancelled on or shortly after 1 December and 400,000 shares held to satisfy Kambi’s future obligations arising from its employee share option programmes.
Information on completed buybacks will be publicly disclosed in accordance with Safe Harbour Regulation and will also be available on the company’s website, kambi.com.
The post Kambi initiates share repurchase programme with a value of SEK 100 million appeared first on European Gaming Industry News.
-
Latest News3 months ago
Duels for Friends in Trophy Hunter. Invite your friends and create a shared space for fun and competition.
-
Latest News2 months ago
Announcement: 25th September 2025
-
Latest News3 months ago
Flamez – A Fiery New Online Casino Contender from Ganadu
-
Latest News3 months ago
GR8 Tech’s Bet It Drives Wraps Season 1 with Stephen Crystal—From Las Vegas Legends to Global Gaming Leadership
-
Latest News2 months ago
AI-Powered Gamification Arrives on Vegangster Platform via Smartico
-
Latest News2 months ago
The Countdown is On: Less Than 3 Months to Go Until The Games of The Future 2025 Kicks Off in Abu Dhabi
-
Latest News3 weeks ago
JioBLAST Launches All Stars vs India powered by Campa Energy: A New Era of Creator-Driven Esports Entertainment
-
Latest News2 months ago
Adidas Arena Set to Welcome the 2026 Six Invitational
You must be logged in to post a comment Login