Dungeon Crusher leak has exposed user data, claims Cybernews

According to a report by Cybernews, the hit role-playing game (RPG) Dungeon Crusher has reportedly exposed the sensitive purchase data of millions of its users.

The publication claims that a critical misconfiguration in the game’s infrastructure left an Elasticsearch instance unprotected, allowing anyone on the internet to access a treasure trove of player information without a password.

The breach is particularly concerning because it spans multiple platforms, including Steam, mobile app stores, and the game’s official website.

Researchers discovered that approximately 198,000 web purchase records were leaked, with the most severe exposure affecting those who bought items directly through the developer’s web interface.

Unlike third-party platforms such as Google or Apple, these direct payments were processed through the developer’s own logging systems, which failed to secure partial credit card numbers, email addresses and precise geographic coordinates.

Treasure trove for cybercriminals

Cybernews researchers identified 151,000 records that included not only partial payment data but also IP addresses and GeoIP data so precise it included specific city districts. Beyond web transactions, the leak unmasked 23,000 Steam purchase records—including 17-digit SteamID64 identifiers—and roughly 65,500 mobile purchase records containing Google Play order IDs.

The security researchers also stumbled upon a staggering 24.5 million in-game chat messages. While these messages could not be immediately linked to specific user accounts, the sheer volume of exposed communication adds another layer of privacy concern for a game that boasts over 5 million downloads on Google Play alone.

The game’s developer, Cyprus-based Towards Mars Ltd., has since secured the data after being contacted by researchers. However, the studio has yet to provide an official comment or apologize to its affected player base.

Security experts warn that this data is “low-hanging fruit” for bad actors. The combination of email addresses and purchase history creates a perfect storm for targeted phishing attacks, where scammers can pose as game support to trick players into handing over full credit card details or account credentials.

As the industry grapples with the fallout, the Cybernews team emphasized that this incident serves as a stark reminder for gamers to approach aggressive in-game advertisements with scepticism, noting that high-growth games do not always prioritize the robust data protection their customers deserve.

https://cybernews.com/security/dungeon-crusher-purchase-data-leak/