Cyber Incident Victim: Supersonic Studios LTD
Date:
Nov 2022
Location:
Israel
Summary
A mobile game publisher experienced a significant data breach when attackers leaked nearly 600MB of sensitive information, including the game's source code, Firebase database credentials, and obfuscated in-app payment API keys. The exposure of Firebase access details risked unauthorized access to private user data, while compromised payment keys could enable fraudulent transactions and financial losses, alongside potential theft of intellectual property. The breach also threatened user anonymity through exposed purchase tokens and anonymized identifiers, impacting a game with over ten million downloads across major platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 1, 2022, attackers extracted approximately 600 MB of data from Supersonic Studios LTD, publisher of the mobile game Escalators. The stolen dataset was subsequently posted on multiple hacker forums, exposing sensitive technical assets. The breach included the game’s full source code, which posed intellectual property risks and created opportunities for attackers to identify vulnerabilities for future exploits. Additionally, the leak contained the Firebase database URL and its associated access key, potentially enabling unauthorized access to private user data stored on the platform. Google and Apple in-app payment API keys were also compromised, though these were obfuscated; instructions to deobfuscate them accompanied the leaked data. The files were confirmed to have been extracted in early November 2022, though the exact intrusion vector remained unspecified. Supersonic Studios, headquartered in Tel Aviv, did not issue an immediate public response when contacted by researchers. Escalators, available on both Google Play and Apple’s App Store, had over 10 million downloads at the time of the incident.
The exposure of Firebase credentials created risks of data theft or manipulation of user information stored in the database. Compromised in-app payment API keys could have allowed attackers to process fraudulent purchases, leading to potential financial losses for Supersonic Studios and undermining user trust. These keys also provided access to transactional data, including order IDs, anonymized user identifiers, and purchase tokens used to validate legitimate in-app product entitlements. While no direct evidence of data misuse or financial fraud was confirmed in the source material, the combination of exposed source code and API keys significantly expanded the attack surface. The incident impacted a widely distributed application, with tens of thousands of user ratings across both major mobile platforms underscoring its reach. Researchers emphasized the broader security implications of source code leaks, which could facilitate long-term exploit development against the game’s infrastructure. No containment measures, forensic findings, or post-incident actions by Supersonic Studios were disclosed in the available reporting.