Brinztech Alert: The Alleged Database of Spacetime Studios is on Sale

Dark Web News Analysis

The dark web news reports the sale of a massive database belonging to Spacetime Studios, the developer behind popular mobile MMORPGs like Pocket Legends and Arcane Legends. A threat actor is offering a dataset containing approximately 8 million user records.

According to the seller, this data originates from a breach that occurred in October 2020. The attack vector described is highly technical and sophisticated: the attacker claims to have exploited a Local File Inclusion (LFI) vulnerability, which they escalated to Remote Code Execution (RCE) via a technique known as “Log Poisoning.” The compromised data reportedly includes user credentials hashed with bcrypt, a strong hashing algorithm, though the risk of password reuse remains high.

Key Cybersecurity Insights

While the breach date is from 2020, the resurfacing of this dataset in 2026 presents significant risks:

• The “Log Poisoning” Technique: This is a textbook example of advanced web exploitation. Attackers inject malicious PHP code into server logs (e.g., by sending a fake User-Agent string), then use an LFI vulnerability to execute that log file as a script. This grants them full control over the server, allowing them to steal the entire database.
• Credential Stuffing Fuel: Even though the passwords are bcrypt hashed (hard to crack), the sheer volume (8 million records) makes this a goldmine for “Credential Stuffing.” Attackers know that gamers often reuse passwords across platforms (e.g., Steam, Discord, Email). They won’t try to crack the bcrypt hashes; they will test the usernames against other breaches where passwords were plain text.
• Virtual Economy Theft: Spacetime Studios games have active virtual economies. Legacy accounts often hold rare items or currency that have appreciated in value. Attackers buy these databases specifically to strip old accounts of digital assets.
• Zombie Accounts: Many of the 8 million users may be inactive. “Zombie” accounts are valuable because the legitimate owner is unlikely to notice the intrusion, allowing attackers to use the account for spam or laundering virtual currency for months undetected.

Mitigation Strategies

To protect the gaming community and infrastructure, the following strategies are recommended:

• Forced Password Reset: If Spacetime Studios did not force a global password reset in 2020, they must do so now. Any account that has not updated its password since October 2020 should be flagged as high-risk.
• Code Audit (LFI Focus): The development team should conduct a specific code audit looking for file inclusion vulnerabilities. Ensure that user input is never passed directly to filesystem APIs (like include or require in PHP).
• Two-Factor Authentication (2FA): Gamers should enable 2FA on their associated email addresses. If the game supports 2FA/MFA, it should be incentivized (e.g., “Enable 2FA for a free in-game item”).
• Log Analysis: Review historical logs (if available) or current logs for “poisoning” attempts, such as User-Agent strings containing PHP code (e.g., <?php system($_GET['cmd']); ?>).

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com