Dungeon Crusher Data Breach Exposes Player Data
Thousands of players of the popular RPG Dungeon Crusher have had their data exposed due to a misconfigured Elasticsearch instance, according to recent reports from Cybernews. The breach included partial credit card details, email addresses and in-game chat logs.
What Happened?
Cybernews research revealed a misconfiguration in the game’s infrastructure left 24.5 million records of in-game messages publicly accessible. These records contained timestamps and the content of the messages themselves. More concerningly, approximately 151,000 out of 198,000 leaked web purchase records included sensitive information such as IP addresses, partial credit card numbers, email addresses, and the location of the purchase. Over 20,000 records detailing in-game purchases contained transaction status, dates, payment currency, Steam identifiers, and order/item IDs. Roughly 65,500 purchase records originating from mobile app stores were also compromised.
What Data Was Exposed?
- In-game chat logs: 24.5 million records of messages, including timestamps and content.
- Purchase data: IP addresses, partial credit card numbers, email addresses, purchase locations, transaction details, Steam identifiers, and mobile app store purchase records.
Potential Risks
The exposed data presents several risks to Dungeon Crusher players, including:
- Fraud: Partial credit card information could be used for fraudulent transactions.
- Phishing: Exposed email addresses can be targeted in phishing attacks.
- Identity Theft: Combined data points could potentially contribute to identity theft.
- Targeted Attacks: Information about in-game purchases and activity could be used for targeted attacks or scams.
Developer Response
According to Cybernews, the exposed data was secured after researchers contacted the game’s developer, Towards Mars. However, Towards Mars has not yet issued a public comment regarding the breach.
What Can Players Do?
Players of Dungeon Crusher should remain vigilant and take the following steps to protect themselves:
- Monitor financial accounts: Regularly check bank and credit card statements for any unauthorized activity.
- Be wary of phishing attempts: Be cautious of any unsolicited emails or messages asking for personal information.
- Enable two-factor authentication: Where available, enable two-factor authentication on all accounts.
- Use strong, unique passwords: Ensure strong, unique passwords are used for all online accounts.
This incident highlights the importance of robust security measures and proper configuration of databases, particularly those handling sensitive user data.