On April 1st Bob Diachenko discovered a non-password protected Elastic database that appeared to contain millions of records detailing golf games, courses, messages, and other player data. Upon further investigation there were many references to GAME GOLF inside the database. San Fransisco based GAME GOLF offers a free app, paid pro version, coaching tools, wearable analyzer, and more. The purpose of the application and wearable is that they track a golfer’s on-course performance and use data to improve the user’s game.
Unfortunately, all of this user data was collected and stored in a publicly accessible database that was accessible by anyone with an internet connection. This data includes a massive 134 million rounds of golf, 4.9 million user notifications, and 19.2 million records in a folder called “activity feed”. According to GAME GOLF’s website they use 60 billion data points, machine learning and artificial intelligence.
It is unclear how long this data was exposed or who else may have had access to it. The first proper disclosure notification was sent by Bob Diachenko shortly after the discovery on April 1st and the data remained open for several days until a second notice was sent on April 5th and the Security Discovery team left several phone messages. We confirmed that the database was no longer publicly accessible on April 16th and reached out to GameGolf once more, but like all previous attempts we never received any reply.
What we have discovered included the following:
- Elastic database set to open and visible in any browser (publicly accessible) and anyone could access this data without administrative credentials.
- 218k user’s names, hashed passwords, email, login, messages, activity and other data plain text.
- Many users had FaceBook Id and login data.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
The detailed user profiles contained usernames, passwords, gender, FaceBook authorization tokens, and other potentially sensitive information. When combined this data could theoretically create a more complete profile of the user and adding additional privacy concerns. This incident once again raises this issue of how applications gather and store user data. A growing concern about tracking and metadata is that users do not see all of this information, how it is used, or what it is used for.
GAME GOLF / Game Your Game Inc, is a privately held company based in San Fransisco, California. It is unclear if this data incident was reported to users who may have been affected or the California Attorney General’s Office. California law requires a business to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired. Despite several attempts and a request for comment regarding this data incident, GAME GOLF / Game Your Game Inc has not responded or commented at the time of this publication.