A data vulnerability at Unipin, one of the largest payment processors for mobile games in Southeast Asia, briefly exposed roughly 10 million user transaction records from gamers, which included usernames, purchase amounts, and email addresses.
When reached for comment, Unipin confirmed the vulnerability from July 3. However, KrASIA was able to verify its existence from at least as early as July 1. The vulnerability allowed anyone to access data—which did not include sensitive information such as real names, log in, or bank account information—by simply entering a compromised URL address.
“We found a bug that resulted in the accession of a small amount of successful transaction data, such as players’ character names. However, we can ensure that crucial data, for example, customer’s passwords, banking information, or other sensitive data that might jeopardize our user’s privacy, remain safely controlled in the UniPin system,” the spokesperson told KrASIA in the email. “There’s no user’s sensitive data are [sic] being disclosed.”
Garena and NetEase (HKG: 9999), two gaming companies that use Unipin as payment processing partner, declined to comment.
The leak is reminiscent of recent news involving Indonesian e-commerce unicorns Tokopedia and Bukalapak. In those cases, similar transaction records were leaked, then sold online. Taken together, usernames, transaction amounts, and email addresses can be valuable for hackers for reselling to competitors or, more seriously, for social engineering.
Unipin’s vulnerability raises questions about the protections in place at payment processors, who—amid the boom in online gaming—sit on mountains of user data.
“The vulnerability at Unipin becomes an example that the information and data security is a global problem, not only in Southeast Asia,” said Sam Ardi, a cybersecurity expert, who was shown a video of the vulnerability by KrASIA. “Security is not only an issue for young users but also the adult generation. Many people haven’t aware of information and data security, especially related to their accounts.”
According to web analytics portal Similarweb, more than 3 million people visited Unipin in May 2020. The platform collects payments on its website for popular mobile games such as Garena’s Free Fire, Moonton’s Mobile Legends, NetEase’s Rules of Survival, VNG’s King of Fighters, Zlongame’s Dragon Raja, and Tencent’s PUBG Mobile.
Unipin operates in Singapore, Indonesia, the Philippines, Malaysia, Thailand, and India.