Malicious actors took advantage of 75,000 Airsoft players’ personal data after the community site forgot to put a password on its database backups.
On December 6th, 2023, the Cybernews research team discovered that the Airsoft enthusiast community site Airsoftc3.com had failed to configure authentication for its Google Cloud Storage Bucket, which leaked a database backup from 2022 storing large amounts of highly sensitive user data.
The leak’s impact is substantial, affecting 75,000 users and potentially reaching a significant portion of the Airsoft community in the US. Though precise figures for the Airsoft community in the US are unavailable, neighboring Canada reportedly had around 35,000 Airsoft players in 2021.
Heightening the severity, malicious actors have also accessed the leaked database. Cybernews discovered a 12GB file with data airbase backup shared on a hackers’ forum. Cybernews has tried several times to reach out to the company but, at the time of writing, has received no reply.
The leaked data includes:
- Personal emails sent to users
- Usernames and hashed passwords
- Email addresses
- Phone numbers
- Home addresses
- Social media links
- Credentials of the site’s founders and admins
- User posts
The platform, owned by Delaware-based company Airsoft C3, allows US Airsoft players to create accounts, find game fields nearby, and find teams to join and play against.
With an annual revenue of between $2-5 million, the company is listed as one of the main hosts of indoor and outdoor airsoft games, offering field, bb guns, airsoft guns, and protective gear for rent.
Cybersecurity threats
The publicly exposed database backup is sensitive, as it holds nearly all operational information required for the website to function properly, including user data.
The company may face legal and financial risks due to improper storage of personal data. Leaked credentials for administrative accounts could be used to compromise company infrastructure, which may cause further reputational and financial damages.
The evidence of malicious actors accessing and sharing the leaked database heightens the risk of potential attacks targeting the site and its users. With this leaked information, malicious actors could execute a range of attacks, such as account takeovers, credential stuffing, phishing, spam campaigns, identity theft, and doxxing.
