Top arcade game maker leaks nearly 19 million user records via WeChat mini app

News
By published

Millions of users may have had data leaked

Back View of Young Black Man Walking and Looking at Big Digital Screens Glitching While Displaying Code Lines. Professional Hacker Breaking Through Cybersecurity Protection System, Changing Code
(Image credit: Shutterstock)
  • Wahlap left an open Elasticsearch instance exposing 18.9 million records tied to its WeChat mini‑program ecosystem
  • Data included 6.6 million unique Union IDs, 1.7 million phone numbers, and personal details that could enable targeted phishing and fraud
  • The archive was locked down after disclosure, though there’s no evidence the exposed information was exfiltrated

Chinese arcade-maker powerhouse Wahlap, reportedly kept a huge user database open on the internet, available to anyone who knew where to look, security researchers from Cybernews have warned, putting personal information at risk.

Wahlap is one of the largest arcade makers in the world, working with some of the biggest names in the gaming industry, such as Sega, or Timezone. It offers Wahlap WeChat mini programs, lightweight applications that run inside the WeChat ecosystem.

For those unfamiliar with WeChat, it is one of the most popular mobile apps in the Chinese market. It is primarily a chat app, but offers all sorts of features from instant payments to, apparently, lightweight gaming. These features come in the form of mini apps displayed within WeChat, and Wahlap seems to have gathered and stored the generated data in an open Elasticsearch instance.

Latest Videos From

Risk of phishing and fraud

The Cybernews team split the information into multiple categories: Wahlap member data, gaming behavior data, asset data, consumer snapshots, and other indices.

In total, 18.9 million records were exposed online, with the Wahlap member data category being by far the biggest. Weighing over 10GB, it contains 6.6M unique Union IDs, 1.7M unique phone numbers, and 24k dates of birth and full names.

The researchers believe that the data could have been used to profile Wahlap users and target them with highly personalized phishing attacks and fraud. “Additionally, the records contained data that revealed user IDs within the Wahlap ecosystem referring to different available mini programs as well as registration dates for specific games,” the Cybernews team said. This is precisely the kind of information that threat actors can use to sound credible.

However, there is no evidence that the data had been exfiltrated already.

Cybernews reached out to Wahlap, and while it didn’t receive a written confirmation or acknowledgement, it did notice that the archive was locked down soon after.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.