Cyber Incident Victim: Creators of Escalators
Date:
Nov 2022
Location:
Israel
Summary
The source code of the mobile game Escalators was leaked on hacker forums, exposing Firebase credentials and obfuscated in‑app payment API keys that could be deobfuscated. This exposure enables attackers to access private user data stored in Firebase, manipulate that data, and make unauthorized in‑app purchases, leading to potential data theft, manipulation, and financial loss for the developer.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early November 2022, a dataset of approximately 600 megabytes was extracted from the systems associated with the mobile game Escalators. The extracted files were later posted on several popular hacker forums by an unidentified threat actor. Cybernews researchers discovered the leak and published their findings on February 14, 2023, noting that the data allegedly originated from the creators of Escalators, a game published by Supersonic Studios LTD. The researchers indicated that the breach could affect user data and the game's intellectual property.

The leaked dataset contained the full source code of Escalators, which could expose the game's internal logic and security mechanisms. Alongside the source code, the leak included a Firebase URL and its associated key, which according to the researchers could allow attackers to access private user data stored in the Firebase database, potentially leading to data theft or manipulation. The leak also revealed Google and Apple in‑app payment application programming interface keys; although the keys were obfuscated, the researchers found instructions within the leak for deobfuscating them. With these payment keys, attackers could theoretically process in‑app purchases without the developer's authorization, resulting in financial losses and fraudulent activity. Additionally, the payment keys could be used to read order IDs, anonymized user IDs, and purchase tokens that verify entitlement to in‑app products.
Cybernews attempted to contact Supersonic Studios and the game's developers for comment but did not receive an immediate reply. Escalators is described as a relatively popular title with over ten million downloads on the Google Play Store and tens of thousands of ratings on Apple's App Store. Supersonic Studios LTD is identified as a mobile game publisher and studio headquartered in Tel Aviv. The researchers warned that the combination of exposed source code, Firebase credentials, and payment API keys increases the risk of both data compromise and unauthorized monetary transactions.
