Cyber Incident Victim: Supersonic Studios LTD

In early November 2022, threat actors extracted approximately 600 MB of data from the mobile game "Escalators," developed by Supersonic Studios LTD. The stolen information was subsequently posted on multiple hacker forums, with the breach becoming publicly visible through these disclosures. The leaked dataset contained the game's complete source code, exposing intellectual property and internal development frameworks. Researchers identified that the source code disclosure posed significant security risks, as attackers could analyze it to identify vulnerabilities for future exploits. Additionally, the leak included the Firebase database URL and its corresponding access key, which provided potential access to private user data stored on the platform. Firebase served as the primary data storage solution for the game, meaning unauthorized parties could manipulate or exfiltrate user information.

The compromised data also contained Google and Apple in-app payment API keys, which were obfuscated but accompanied by deobfuscation instructions. These keys enabled processing of in-app purchases, and their exposure created avenues for financial fraud, including unauthorized purchases that could lead to direct revenue loss for Supersonic Studios. Attackers could also leverage the keys to access order IDs, anonymized user identifiers, and purchase tokens—critical elements for validating user entitlements to purchased content. The game, with over 10 million downloads on Google Play Store and tens of thousands of App Store ratings, faced amplified risks due to its large user base. Supersonic Studios, headquartered in Tel Aviv, did not issue an immediate public response or acknowledgment of the breach when contacted by researchers. The incident remained unresolved in subsequent reports, with no disclosed containment or remediation actions from the developers or publisher.