Full Report
In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository. The incident exposed 64k unique email addresses along with usernames, IP addresses, support tickets and passwords stored as bcrypt hashes.
Analysis Summary
# Incident Report: Atlas Menu Database Compromise
## Executive Summary
In May 2026, the game modification and cheat service provider Atlas Menu experienced a complete system compromise. An unauthorized actor gained access to the service's backend infrastructure, resulting in the theft and public leak of a database containing records for approximately 64,000 users. The breach led to the exposure of sensitive user information, including hashed passwords and internal support communications.
## Incident Details
- **Discovery Date:** May 30, 2026 (Added to HIBP)
- **Incident Date:** May 2026
- **Affected Organization:** Atlas Menu
- **Sector:** Gaming / Software Utilities
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Targeted system intrusion (Specific entry point undisclosed)
- **Details:** The attacker claimed to have gained administrative access to "all Atlas systems," suggesting a compromise of high-level credentials or a critical vulnerability in the web infrastructure.
### Lateral Movement
- Details regarding internal movement are not publicly disclosed; however, the attacker successfully moved from the initial entry point to the primary database servers hosting user information and support tickets.
### Data Exfiltration/Impact
- The attacker extracted the full user database and subsequently published the contents to a public GitHub repository, making the data accessible to any third party.
### Detection & Response
- **Detection:** The breach was identified following the public disclosure and publication of the data by the threat actor.
- **Response Actions:** The incident was indexed by "Have I Been Pwned" on May 30, 2026, to notify affected users. Recommended actions for users include mandatory password resets and the implementation of Multi-Factor Authentication (MFA).
## Attack Methodology
- **Initial Access:** Compromise of backend systems/servers.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Attacker claimed "access to all systems," indicating successful escalation to administrative/root privileges.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Extraction of the user database containing bcrypt password hashes.
- **Discovery:** Accessing internal support ticket systems.
- **Lateral Movement:** Escalation from web/application tier to database tier.
- **Collection:** Automated extraction of 64,000 user records.
- **Exfiltration:** Data uploaded to a public GitHub repository.
- **Impact:** Complete loss of confidentiality for the user database and support history.
## Impact Assessment
- **Financial:** Potential loss of revenue from service distrust; no direct financial theft reported.
- **Data Breach:** Exposure of 63.9k unique email addresses, usernames, IP addresses, support tickets, and bcrypt-hashed passwords.
- **Operational:** Potential shutdown of services or infrastructure for remediation.
- **Reputational:** High; public publication of the database on GitHub causes significant trust erosion within the gaming community.
## Indicators of Compromise
- **Network indicators:** hxxps[://]atlasmenu[.]net (Affected Domain)
- **File indicators:** Data dump hosted on github[.]com (Repository specifics redacted)
- **Behavioral indicators:** Unauthorized administrative access to backend database environments.
## Response Actions
- **Containment:** (Assumed) Auditing of GitHub repositories to request take-down of leaked data.
- **Eradication:** (Assumed) Rotation of all internal system credentials and API keys.
- **Recovery:** Notification of the breach via third-party services (HIBP) to prompt user-side security measures.
## Lessons Learned
- **Credential Reuse Risk:** The exposure of 64k emails and hashes underscores the risk to users who reuse passwords across multiple gaming services.
- **Support Ticket Privacy:** Support tickets often contain sensitive personal information; the leak of these logs provides attackers with context for secondary social engineering attacks.
- **Infrastructure Hardening:** A single point of failure likely allowed the attacker to claim access to "all" systems.
## Recommendations
- **Implement MFA:** Enforce Multi-Factor Authentication for both staff administrative access and user accounts.
- **Database Encryption:** Ensure that sensitive table columns (beyond just passwords) are encrypted at rest.
- **Access Control:** Implement the principle of least privilege (PoLP) to ensure a compromise of the web server does not automatically grant access to the entire database or support ticket history.
- **Log Monitoring:** Deploy robust File Integrity Monitoring (FIM) and database activity monitoring to detect bulk data exports in real-time.