Wandera said CBS Sports failed to properly encrypt its site and app. "This does not mean that the app or website was breached by an attacker. Instead, the app/site development teams simply failed to use encryption to protect the user's sensitive data," said Covington.
The report found that both Android and iOS versions of the CBS Sports app and the CBS mobile website failed to protect user names, dates of birth, email addresses, account passwords in clear text, and ZIP codes during the registration.
"Once you have that information, you have the keys to the kingdom," said Covington.
CBS Sports denied the claims of a data breach and said it is rigorous about monitoring its platforms for any potential security issues. "There was no data breach on either the CBS Sports app or mobile site," CBS Sports Digital said in a statement. "We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection."
Wandera said it came across the alleged vulnerability unexpectedly, while doing research on sports applications ahead of March Madness. As its engineers tracked data across various sports sites, they noticed unprotected data coming across its cloud service from CBS.
Once they discovered it, Wandera said, it immediately notified the network. It took about a month, but CBS notified Wandera the bug had been fixed, the security firm said.
The CBS Sports app was downloaded 5 million to 10 million times on Google Play and it is one of the top downloaded sports applications in Apple's iTunes store.