Full Report
A database containing 64,000 user records was published to GitHub after an attacker claimed to have compromised all Atlas systems
Analysis Summary
# Incident Report: Compromise of Atlas Menu Cheat Service
## Executive Summary
In May 2026, the Atlas Menu cheat service, catering to Grand Theft Auto V and Counter-Strike 2 players, suffered a comprehensive system compromise. An attacker exfiltrated a database containing 64,000 user records, including hashed passwords and internal support logs, and subsequently published the data to GitHub. The incident is characterized by an alleged total compromise of "all Atlas systems" and claims of unauthorized screenshot monitoring.
## Incident Details
- **Discovery Date:** May 2026
- **Incident Date:** May 2026
- **Affected Organization:** Atlas Menu
- **Sector:** Gaming / Software Utilities (Cheat Provider)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Unknown (Attacker claims full access to "all Atlas systems")
- **Details:** The attacker gained unauthorized entry into the backend infrastructure hosting the Atlas Menu service and customer data.
### Lateral Movement
- **Details:** Evidence suggests the attacker moved from initial entry points to core databases and administrative logging systems, allowing for the extraction of support tickets, administrator logs, and license key data.
### Data Exfiltration/Impact
- **Details:** The attacker extracted a database containing 64,000 unique records. This data was then uploaded to a public GitHub repository (`github[.]com/k-script-oof/atlas-menu`). The breach included allegations that the software could be used for "screenshot spying" on its users.
### Detection & Response
- **How it was discovered:** The breach was identified when the attacker published the data publicly and via notification from the breach tracking site "Have I Been Pwned" (HIBP).
- **Response actions taken:** Community discussion on Reddit and public disclosure via HIBP; however, formal response actions from Atlas Menu operators were not detailed in the report.
## Attack Methodology
- **Initial Access:** Not specifically disclosed; likely exploitation of web vulnerabilities or credential compromise of administrative interfaces.
- **Persistence:** Attacker claims to have had access to "all systems," suggesting deep persistence.
- **Privilege Escalation:** Likely achieved, given the ability to access administrator logs and backend databases.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Extraction of bcrypt-hashed passwords.
- **Discovery:** Attacker mapped out internal support ticket systems and Rockstar Games account identifier databases.
- **Lateral Movement:** Traversed from web/application layers to database and log storage.
- **Collection:** Gathering of 64,000 user records, IP addresses, support conversations, and license keys.
- **Exfiltration:** Data was moved to a public GitHub repository.
- **Impact:** Massive data leak and reputational damage due to "screenshot spying" allegations.
## Impact Assessment
- **Financial:** Potential loss of revenue for the service provider; potential fraud risk for users using recycled passwords.
- **Data Breach:** 64,000 unique email addresses, usernames, IP addresses, support tickets, license keys, and bcrypt-hashed passwords.
- **Operational:** Compromise of the "Atlas systems" used to manage cheat subscriptions and software distribution.
- **Reputational:** High; allegations of spying on users via screenshots further damage the trust of the user base.
## Indicators of Compromise
- **Network indicators:** IP addresses associated with the leak (noted in the database but not specific to attacker origin).
- **File indicators:** Database dump hosted at `github[.]com/k-script-oof/atlas-menu`.
- **Behavioral indicators:** Unauthorized access to administrator logs and mass export of support tickets.
## Response Actions
- **Containment:** Not disclosed by the vendor.
- **Eradication:** Not disclosed.
- **Recovery:** Public notification via HIBP to alert affected users.
## Lessons Learned
- **Key takeaways:** Services operating in "gray market" sectors (like game cheats) often lack robust security controls, making them "soft targets" for attackers.
- **What could have been done better:** Implementation of multi-factor authentication (MFA) for administrative access and better isolation of sensitive user databases from the public-facing application.
## Recommendations
- **For Users:**
- Immediately change passwords on any other accounts that shared the same credentials as Atlas Menu.
- Enable MFA on all gaming and email accounts.
- **For Organizations:**
- Regularly audit administrative logs for unauthorized access.
- Ensure that support ticket systems do not store excessively sensitive user telemetry unless necessary.
- Harden backend infrastructure to prevent a single point of failure from compromising "all systems."