A security lapse in a logging database associated with the My WinStar app, developed by Nevada startup Dexiga for the casino resort giant WinStar, has raised concerns over customer privacy. The database, left unprotected on the internet without a password, contained personal information of WinStar customers, including full names, phone numbers, email addresses, and home addresses.
Anurag Sen, a security researcher, discovered the exposed database and shared the findings with TechCrunch. The database also included gender information and device IP addresses. While sensitive data like birthdates were redacted, none of the information was encrypted.
TechCrunch verified Sen’s findings and identified an internal user account and password linked to Dexiga’s founder, Rajini Jayaseelan. Installing the My WinStar app on an Android device and signing up with a controlled phone number confirmed the database’s association with the app.
Upon notification, Dexiga secured the exposed database but downplayed the incident, claiming it contained only “publicly available information” and denying exposure of sensitive data. Dexiga attributed the security lapse to a log migration in January, with the exposed database containing logs dating back to January 26.
Jayaseelan did not disclose whether Dexiga could determine if others accessed the database or if affected customers would be notified. Dexiga stated they are investigating the incident and will take necessary actions.
WinStar’s general manager, Jack Parkinson, did not respond to TechCrunch’s requests for comment regarding the security lapse.
