Leading Arcade Game Maker Discloses Nearly 19 Million User Records Through WeChat Mini App

Rear view of a young black man walking and looking at large digital screens that slide while displaying lines of code. Professional hacker piercing cybersecurity protection system and modifying code — (Image credit: Shutterstock)

Wahlap left an Elasticsearch instance open exposing 18.9 million records related to its WeChat mini-program ecosystem.
The data included 6.6 million unique union identifiers, 1.7 million phone numbers and personal information that could enable targeted phishing and fraud.
The archives were locked after their disclosure, although there is no evidence that the exposed information was exfiltrated.

Wahlap, the Chinese arcade powerhouse, allegedly maintains a huge user database open on the Internet, accessible to anyone who knows where to look, according to security researchers at Cybernews warned, putting personal information at risk.

Wahlap is one of the largest arcade manufacturers in the world, working with some of the biggest names in the video game industry, such as Sega and Timezone. It offers Wahlap WeChat mini-programs, lightweight applications that run within the WeChat ecosystem.

For those unfamiliar with WeChat, it is one of the most popular mobile apps in the Chinese market. It’s primarily a chat app, but it offers all kinds of features, from instant payments to seemingly light gaming. These features come in the form of mini-apps displayed in WeChat, and Wahlap appears to have collected and stored the generated data in an open Elasticsearch instance.

Risk of phishing and fraud

THE Cybernews The team divided the information into several categories: Wahlap member data, gaming behavior data, asset data, consumer snapshots, and other indices.

In total, 18.9 million records were exposed online, with Wahlap’s member data category being by far the largest. Weighing over 10 GB, it contains 6.6 million unique union IDs, 1.7 million unique phone numbers and 24,000 dates of birth and full names.

Researchers believe the data could have been used to profile Wahlap users and target them with highly personalized phishing attacks and fraud. “Additionally, the recordings contained data revealing user identifiers within the Wahlap ecosystem referencing different mini-programs available as well as registration dates for specific games,” the report said. Cybernews the team said. This is precisely the kind of information that threat actors can use to appear credible.

However, there is no evidence that the data has ever been exfiltrated.

Sign up for the TechRadar Pro newsletter to get all the top news, opinions, features and tips your business needs to succeed!

Cybernews contacted Wahlap and, although he did not receive confirmation or written acknowledgment, he noticed that the archives were locked shortly afterward.

Google logo on black background next to the text “Click to follow TechRadar”

Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). During his career, which spans more than a decade, he has written for numerous media outlets, including Al Jazeera Balkans. He has also hosted several modules on content writing for Represent Communications.