BI.ZONE, which is engaged in digital risk management, found information on the sale of a database of users of the Pin-up betting platform on a shadow forum.bet. More than 9.975 million people became victims of the leak, of which just over 7.8 million accounts were registered in Russia, another 1.3 million in the UK, 600 thousand in Turkey, the rest in Brazil, the USA, Germany and Azerbaijan. The owner of the database is ready to sell it for $ 10 thousand, payment is accepted in cryptocurrency. For this money, he promises to provide the buyer with information about users' email, date of birth, phone number, financial information, address, gender, favorite game in which the largest number of bets are made, etc. "The author of the ad states that the database being sold is relevant for the end of 2020. To prevent possible consequences, we recommend that users change their passwords and set up two-factor authentication, if possible," said Evgeny Voloshin, director of the BI.ZONE expert services unit. The samples (samples of individual users' data) contain personal data, including the city, address, phone number, etc., the correspondent of RBC was convinced. The fact that such a database has been on sale since October 5, RBC was confirmed by Oleg Derov, head of the Group-IB public leaks research group, and Ashot Oganesyan, founder of the DLBI data leak analysis service. "Cases when the data of betting platforms leak into the network are quite rare. I would say that this is a large drain. Most likely, the server was hacked. They could have been merged through some kind of vulnerability like SQLi (one of the common ways of hacking websites and programs working with databases)," Oganesyan notes. At the same time, he doubts that someone will buy the base for the price indicated by the seller, calling it too high. Oleg Derov called the leak quite large, but not a record for either the world or Russia. For example, in 2012-2014, there were massive leaks of VKontakte and Rambler, each of which contained data on more than 90 million users. In September 2021, the group-IB team found about 120 published (not for sale) databases, seven of which were larger than the pin-up leak.bet. At the same time, one of the most massive data leaks of betting platforms occurred in January 2019, when, due to the lack of a password on the Elasticsearch public server, data from the Mountberg Limited online casino group leaked (hereinafter kahunacasino.com includes, azur-casino.com , easybet.com , viproomcasino.net and others), Ashot Oganesyan recalled. The database contained information about more than 108 million bets, winnings, deposits and withdrawals. In addition, names, home addresses, phone numbers, email addresses, dates of birth, account balances and IP addresses, lists of games played by players, etc. have been leaked. Most often, databases put up for sale on the darknet fall to attackers as a result of successful attacks on the organization's infrastructure, either by theft from corporate servers with unclosed Internet access, or, less often, as a result of data being drained by an internal employee, said Alexey Kubarev, an expert at the WATCH Product Center of Rostelecom-Solar. He also noted that, as a rule, when registering bookmakers, users of various services and online casinos provide a fairly complete set of their personal data, including residential address, mobile phone, email address and other sensitive information. "There is nothing surprising in the fact of the leak itself. A betting site always attracts intruders, because it is directly related to financial transactions. Based on the information provided, the leak seems to be very large, but we must understand that 10 million accounts are not 10 million unique users. There will always be a lot of "dead" accounts on such a site, as well as a lot of accounts belonging to the same people, even if it contradicts the user agreement," said Alexander Vurasko, head of the digital threat analysis department at Infosecurity (part of the Softline group of companies), stipulating that the company does not have information about the leak. What the incident threatens users with Oleg Derov says that although account passwords were not stored in the clear in this particular leak, but even without passwords, the leak poses a threat to users. "A huge number of email addresses and phone numbers allows attackers to conduct mass spam mailings. And with the knowledge of additional data from this leak (names, addresses, birthdays, account data, etc.), attackers can carry out targeted phishing and vishing attacks (cybercrimes aimed at stealing personal information by phone)," he said. Such a leak can turn into compromised users either by attempts to scam from scammers, when the attacker first rubs into the user's trust, and then forces them to disclose the data and give the money, or spam from other bookmakers, Ashot Oganesyan agrees. At the same time, Alexander Vurasko drew attention to the fact that the policy of processing personal data is Pin-up.the bid allows for very vague formulations, in particular their transfer to third parties. According to one of the clauses of the user agreement, the company is not responsible for any damage or losses caused, including, but not limited to, loss of data, income, prestige, reputation, as well as for any losses that it cannot foresee. The same agreement states that all disputes are governed by the laws of Cyprus.