Someone misused Rec Room’s friend-finder feature to match phone numbers to the user names of hundreds of thousands of players on the social gaming platform — assembling a database that connects their online identities directly to their real-world contact information.
The incident, which took place in January, hasn’t been previously reported or publicly acknowledged except in a brief response by a Rec Room staffer to a question in an online forum. It’s not directly related to the subsequent announcement that the Seattle-based company will shut down the social gaming platform June 1, after 10 years in business.
In messages to GeekWire, a person familiar with the incident expressed concern that Rec Room has never proactively notified users whose phone numbers and user identities were linked through the brute-force attack — leaving them unaware of the situation and vulnerable to harassment, phishing, or other attacks, especially as the platform shuts down.
Responding to our inquiries about the incident, the company acknowledged that it learned in January that an individual was running a high volume of queries against its friend-finder API. After discovering this, the company said, it disabled the feature and banned the user.
Rec Room said it engaged an outside legal and forensics firm to conduct a review, which concluded that disabling the API was sufficient and no regulatory notification was required. The feature only returned a username when matched with a phone number or email, Rec Room said, and did not expose additional account information or credentials.
“We take user safety and security seriously and have robust measures in place to protect user data,” a Rec Room spokesperson said in a follow-up statement, adding that the company “reviewed our privacy settings and confirmed they’re working as intended.”
What happened: The incident didn’t involve someone breaking into Rec Room’s servers or accessing its database directly.
Instead, it happened through the platform’s friend-finder feature, which let players upload their phone contacts to see which of their friends were already on the platform. Under the hood, the system accepted a phone number and returned a Rec Room username if there was a match.
The feature was designed for individual users checking their personal contacts. However, the system had no apparent safeguards to prevent someone from querying it at a massive scale.
That’s what happened in January, according to the person familiar with the matter. Someone systematically ran all US and Canadian phone numbers through the system, collecting every hit. The result, the person said, was a database of nearly 279,000 records.
The database was subsequently sold to others, according to the person familiar with the incident, who said the system used to distribute it was itself not secure, potentially making it accessible to a wider audience.
Rec Room’s response: Asked about the size of the database, Rec Room said it did not recognize the number provided by the source, but did not offer its own count of affected users. Without additional information, it’s unclear if the company has determined the size of the assembled database or the full scope of the incident.
Rec Room said no phone numbers or emails were acquired directly from the company.
Responding to a user question about the incident in the company’s Discord server on Feb. 19, a Rec Room staffer said the platform had previously allowed users to find friends by searching their contacts, and that some users were “abusing this functionality at scale.”
The message said the feature had been disabled “out of an abundance of caution.”
Why it matters now: The company has not proactively notified affected users. Rec Room said its support team has been responding to players who’ve contacted the company after receiving unsolicited texts that were apparently connected to the assembled database.
With the platform now scheduled to shut down June 1, the window for proactive notification is closing. After that date, Rec Room will no longer have an in-app channel to reach its players.
Rec Room’s shutdown itself could increase the risk. An attacker with the database could use the closure to craft convincing phishing messages — for example, a text or email impersonating Rec Room and urging players to click a link to export their data before the platform goes dark. The shutdown would give such a message built-in plausibility.
Phone numbers can also be used to find real names and home addresses through publicly available records, or to attempt SIM swapping, in which an attacker takes over a victim’s phone number to intercept calls, texts, and authentication codes. Users can lock their phone number through their wireless carrier’s app or website, typically with a PIN, to help prevent this.
Privacy settings: One issue in dispute involves Rec Room’s privacy settings. The platform offered users a toggle to prevent others from finding them by phone number or email address.
But the person familiar with the incident said the setting did not protect against the type of mass queries used in the attack. This person said their own data appeared in the database despite having the setting turned off, and provided a screenshot supporting this assertion.
(The person declined to be identified, citing concerns that publishing their name could allow someone to use the data to connect their identity to their home address and other personal details using public records.)
Asked about the privacy setting, Rec Room said it verified that it worked as designed.
Historical precedents: It’s not the first time a social platform has faced this type of incident.
In 2014, an attacker used the same approach against Snapchat’s friend-finder feature, matching usernames to 4.6 million phone numbers. Snapchat was criticized for initially dismissing the vulnerability and took more than a week to apologize, but later acknowledged the breach, updated its app, and let users opt out of the feature.
In 2021, a similar technique was used to assemble a database of phone numbers and personal information from more than 530 million Facebook users. Facebook said it had fixed the underlying flaw in 2019 but declined to individually notify affected users, saying it couldn’t be certain which users needed to be notified.
Rec Room’s approach has more closely resembled Facebook’s: maintaining that the incident did not create a security or privacy risk and that no user data was acquired from its systems.
Rec Room’s user base: Rec Room attracted more than 150 million lifetime players across phones, consoles, PCs, and VR headsets, with millions still active each month before the shutdown was announced.
Rec Room CEO Nick Fajt told the Wall Street Journal in 2021 that the bulk of the platform’s users were between the ages of 13 and 16 — meaning many of the phone numbers in the assembled database would belong to minors or their parents.
The company’s path: Rec Room launched in 2016 as a platform for building and sharing virtual worlds. Founded by a group of former Microsoft engineers, the company went on to raise $294 million in venture funding over its lifetime, and was valued at $3.5 billion at its peak in 2021.
But it never found a way to become profitable, cutting staff in two rounds of layoffs last year.
The person familiar with the matter said last year’s layoffs significantly impacted the company’s cybersecurity team. The company also paused its bug bounty program on the security platform Bugcrowd on Feb. 10, halting new vulnerability reports. The program has not reopened.
After the March shutdown announcement, Snap acquired select assets from Rec Room, and some members of the team joined the Snapchat parent’s hardware subsidiary to work on its Specs augmented reality glasses. It’s not clear if any were impacted in Snap’s cuts last week.
What to know: Rec Room users who linked a phone number to their account should be aware that their number may have been connected to their user name in the assembled database.
Users should be skeptical of any unsolicited texts or emails related to Rec Room or to the upcoming shutdown, particularly messages urging them to click links.
With the platform closing in less than seven weeks, the person familiar with the incident said they hope bringing public attention to the issue will help users be alert to the risks.
Read the full article here
