- Wahlap left an open Elasticsearch instance exposing 18.9 million records tied to its WeChat mini‑program ecosystem
- Data included 6.6 million unique Union IDs, 1.7 million phone numbers, and personal details that could enable targeted phishing and fraud
- The archive was locked down after disclosure, though there’s no evidence the exposed information was exfiltrated
Chinese arcade-maker powerhouse Wahlap, reportedly kept a huge user database open on the internet, available to anyone who knew where to look, security researchers from Cybernews have warned, putting personal information at risk.
Wahlap is one of the largest arcade makers in the world, working with some of the biggest names in the gaming industry, such as Sega, or Timezone. It offers Wahlap WeChat mini programs, lightweight applications that run inside the WeChat ecosystem.
For those unfamiliar with WeChat, it is one of the most popular mobile apps in the Chinese market. It is primarily a chat app, but offers all sorts of features from instant payments to, apparently, lightweight gaming. These features come in the form of mini apps displayed within WeChat, and Wahlap seems to have gathered and stored the generated data in an open Elasticsearch instance.
Risk of phishing and fraud
The Cybernews team split the information into multiple categories: Wahlap member data, gaming behavior data, asset data, consumer snapshots, and other indices.
In total, 18.9 million records were exposed online, with the Wahlap member data category being by far the biggest. Weighing over 10GB, it contains 6.6M unique Union IDs, 1.7M unique phone numbers, and 24k dates of birth and full names.
The researchers believe that the data could have been used to profile Wahlap users and target them with highly personalized phishing attacks and fraud. “Additionally, the records contained data that revealed user IDs within the Wahlap ecosystem referring to different available mini programs as well as registration dates for specific games,” the Cybernews team said. This is precisely the kind of information that threat actors can use to sound credible.
However, there is no evidence that the data had been exfiltrated already.
Cybernews reached out to Wahlap, and while it didn’t receive a written confirmation or acknowledgement, it did notice that the archive was locked down soon after.
