Gamers’ credit cards at risk after popular RPG Dungeon Crusher exposes data
A hit RPG game has accidentally exposed something far more valuable than loot. A misconfiguration in the game’s infrastructure left players’ purchase data accessible to anyone on the internet.
The Cybernews research team discovered that a popular RPG game, Dungeon Crusher, had exposed in-game purchase data across multiple platforms. The leak spans purchases that players made through the game’s website, Steam, and mobile app stores.
Caused by an unprotected Elasticsearch instance, the leak allowed anyone on the internet to access players' purchases. Roughly 53% of leaked purchase records contained partial credit card data and precise location details, while about 57% of records exposed players’ email addresses.
The game was developed by Towards Mars Ltd., a Cyprus-based studio founded in 2010. Dungeon Crusher is its flagship title, which has more than 5 million downloads on Google Play. On Apple’s marketplace, the company’s game appears under the name Dungeon Crusher AFK Heroes.
After discovering the data leak, Cybernews researchers contacted the company immediately. The data has been secured on the company’s side, but it has not provided any comment on the matter.
Our journalists have reached out to the company before this publication went live, but they have not received a response.
What data was leaked?
The most serious exposure stems from purchases made directly through the game’s web interface. Unlike transactions handled by third parties such as Steam or Google, website payments are processed under the developers’ own logging systems. That is where the cracks appeared.
Researchers identified approximately 198,000 web purchase records that were leaked. Of those, around 151,000 included:
- Partial credit card numbers
- User email addresses
- IP addresses
- GeoIP data, including city, district, and precise geographic coordinates of the purchase location
The remaining web records still exposed email addresses and approximate location data, such as country and city.
Messages, locations, and transactions leaked
The exposure was not limited to web transactions. Approximately 23,000 records tied to in-game purchases through Steam were also found. These included:
- Steam identifiers (some in the 17-digit SteamID64 format, others in the older 10-digit identifiers)
- Transaction dates
- Payment currency
- Order and item IDs
- Transaction status
On the mobile side, around 65,500 purchase records were discovered. These included:
- Google Play order IDs in the GPA format
- Country codes and related metadata
Our researchers also discovered that 24.5 million records of in-game chat messages were exposed, including message content and timestamps. However, the messages could not be linked to specific users.
Why should we care?
The Cybernews research team warns that leaking in-game purchase data might have serious consequences. Exposed purchase data opens the door for targeted phishing, identity theft, fraud, and reconnaissance for future attacks, especially when paired with info from other breaches.
Apart from risk for players, the security incident could also hit the studio where it hurts most – its reputation. Players spooked by the breach might walk away and flock to competitors.
Games like Dungeon Crusher are aggressively promoted through online ads that promise rapid progression and effortless upgrades. These ads are often highly effective in persuading individuals to try the game.“
This situation emphasizes the need for the public to approach game advertisements with skepticism, as despite their engaging nature, companies that produce such products may not prioritize consumer data protection,” our research team warned.
Disclosure Timeline
Leak discovered: January 8th, 2026
Initial disclosure: January 12th, 2026
Leak closed: January 19th, 2026
Unlock more exclusive Cybernews content on YouTube.
