Nearly 19 million user records have been exposed in a major data breach involving one of the world’s largest arcade machine manufacturers, according to cybersecurity researchers, Cybernews reported.
The leaked data, linked to China-based Wahlap Technology, is believed to include names, phone numbers, behavioural data and system identifiers, with potential ties to the wider Tencent WeChat ecosystem.
Cybersecurity researchers said they discovered three exposed servers on 19 March containing approximately 18.9 million records, including user identifiers, gaming activity logs, asset data and application records.
The exposed database was hosted in an Elasticsearch cluster comprising three servers, a system commonly used to process large volumes of searchable data in real time.
Researchers believe the breach may have originated through integration with WeChat mini programmes—lightweight applications embedded within the WeChat platform that allow users to access services such as games, payments and bookings without downloading separate apps.
WeChat’s “Union ID” system, which enables cross-platform user tracking across different mini programmes, is thought to have played a central role in the exposed dataset.
In total, the most extensive dataset contained more than 10GB of information, including approximately 6.6 million unique Union IDs, 1.7 million phone numbers and thousands of records containing dates of birth and full names.
Alarmingly, researchers also identified around 3,800 records linked to underage users, Cybernews reported.
A second dataset covering gaming behaviour included 1.3 million records, detailing user activity such as favourite machines, visit frequency and location-based engagement at arcade venues.
Additional datasets contained more than 1.4GB of asset-related data, including coupon information and user entitlement records, alongside millions of application logs and system identifiers.
Researchers warned that even though there was no evidence the exposed data had been actively exploited, the scale and granularity of the information could enable highly targeted phishing campaigns and social engineering attacks, Cybernews reported.
“With access to behavioural and identity data, malicious actors could build detailed user profiles,” the researchers said, adding that location-linked data could also increase stalking and impersonation risks.
The cluster was reportedly taken offline several days after discovery.
The findings add to a growing list of large-scale data exposures in China and beyond, where misconfigured cloud infrastructure and exposed databases have repeatedly left sensitive information publicly accessible.
Leave a Comment