Data Security

Unsecured Elasticsearch database leaks Dungeon Crusher players’ purchase data

concept of leaky software, data with a tap sticking out.3d illustration

Cybernews reports that Dungeon Crusher, a widely played RPG game, had its players' partial purchase data and in-game chats inadvertently leaked by a misconfigured Elasticsearch instance.

Analysis conducted by the Cybernews research team found that 24.5 million records of in-game messages, including timestamps and message content, were leaked. Researchers also flagged that 151,000 of 198,000 leaked web purchase records include IP addresses, partial credit card numbers, email addresses, and purchase location information. Over 20,000 records that exposed transaction status and dates, payment currency, Steam identifiers, and order and item IDs were linked to in-game purchases. Roughly 65,500 purchase records made through mobile app stores were also exposed.

The exposed Dungeon Crusher data was reportedly secured after researchers contacted the company but provided no comment on the leak. Researchers warned that the exposed data could be exploited for fraud, targeted phishing, identity theft, and other future attacks. The RPG game was developed by Towards Mars.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds