No hacking required. No special tools. A free account and two API endpoints. Every email address, every server record, and children's school emails - all publicly accessible. The platform was notified and chose silence.
On 7 March 2026, security researcher Snelsterendier discovered that TopEaglerServers (topeaglerservers.com) - a browser-based Minecraft (Eaglercraft) hosting platform - had left its entire user and infrastructure database accessible on the open internet with no authentication and no access control of any kind.
The platform's backend API on port 3000 exposed the following administrative endpoints to any user with a free account:
| Endpoint | Data Returned |
|---|---|
| /admin/users | All 27,611 user records - full email addresses, usernames, admin flags, credit balances, activity timestamps, account IDs |
| /admin/servers | All 20,564 server records - live ports, Docker container IDs, real-time memory/CPU/disk stats, payment history |
| /admin/config | Full internal system configuration including filesystem paths and operational infrastructure details |
Additionally, hidden directories (EaglerhostCore and EaglerXServer) concealed in the platform's file manager were found to be fully accessible via standard user SFTP - a further exposure of server-side infrastructure.
All endpoints were accessible using nothing more than a standard session cookie from a free account. This is not a sophisticated exploit - it is a complete absence of access control on administrative API routes.
Every verified email on the platform. 100% of accounts had emailVerified = true.
All usernames and 8-character hex account identifiers - cross-referenceable across both databases.
Live transactional credit balances on all accounts, updating in real time.
20,564 records including 64-char Docker container IDs, live ports, and real-time resource stats.
Account creation dates, last login, and full server start history for every user.
Internal Java startup flags, memory tier requirements, and GC tuning for all server versions.
All times are UTC+1 (CET), as shown in preserved Discord screenshots filed with the ICO.
The exposed user database contains a significant number of K-12 school-issued email addresses. These are government-issued institutional addresses - there is no plausible non-educational interpretation. These users are students, very likely minors.
The following domains were identified in the data sample alone - less than 0.2% of the full 27,611-record dataset.
| Domain | Institution | Location |
|---|---|---|
| dallasisd.org | Dallas Independent School District | Texas, USA |
| online.houstonisd.org | Houston Independent School District | Texas, USA |
| lakesideusd.org | Lakeside Unified School District | California, USA |
| students.bentonschools.org | Benton School District | Arkansas, USA |
| brssd.org | Belmont-Redwood Shores School District | California, USA |
| student.uplifteducation.org | Uplift Education Charter Schools | Texas, USA |
| msd19.org | Malheur School District 19 | Oregon, USA |
| methow.org | Methow Valley School District | Washington, USA |
| albany.k12.ny.us | Albany City School District | New York, USA |
| myoneclay.com | Clay County District Schools | Florida, USA |
| masonohioschools.com | Mason City School District | Ohio, USA |
| edu.leonschools.net | Leon County Schools | Florida, USA |
| student.vigoschools.org | Vigo County School Corporation | Indiana, USA |
| hcarockwall.org | Heritage Christian Academy | Texas, USA |
| student.smusd.us | San Marcos Unified School District | California, USA |
Children's data attracts heightened obligations under Article 8 UK GDPR, the ICO's Age Appropriate Design Code, and US federal law including COPPA (15 U.S.C. Section 6501 et seq.). TopEaglerServers implemented no meaningful age verification and has taken no steps to protect or notify the children whose data was exposed.
When Snelsterendier raised UK GDPR obligations at 14:28 UTC+1 on 7 March 2026, staff member Josh issued the following responses - preserved verbatim and submitted as evidence to the ICO:
Snelsterendier immediately corrected this. Josh then added:
Both claims are legally incorrect and contradicted by TopEaglerServers' own documents:
UK GDPR applies based on the location of data subjects, not the controller's nationality. Their own Terms of Service states the platform is governed by UK law.
UK GDPR and the DPA 2018 apply to natural persons processing others' data - corporate status is irrelevant.
Their own Privacy Policy states: "we will notify you in a timely manner, as required by applicable laws." Not honoured.
A full formal complaint has been submitted to the Information Commissioner's Office (ICO) by @snugent120 on behalf of Snelsterendier. The complaint includes verbatim evidence of the GDPR denials, full breach disclosure, and a confirmed record of the Controller's total inaction. The ICO can investigate, issue enforcement notices, and impose penalties of up to £17.5 million or 4% of global turnover.
Because TopEaglerServers refused to notify any of its 27,611 users, @snugent120 and Snelsterendier initiated an independent notification campaign across Discord communities frequented by the Eaglercraft player base - performing the function the Controller is legally required to fulfil under Article 34 UK GDPR.
| Article | Violation |
|---|---|
| Art. 5(1)(f) | Integrity and confidentiality - no access control on admin API routes |
| Art. 32 | Security of processing - complete absence of appropriate technical measures |
| Art. 33 | 72-hour notification to supervisory authority - missed entirely |
| Art. 34 | Communication to data subjects - zero users notified |
| Art. 5(1)(a) | Lawfulness, fairness, transparency - Privacy Policy promise broken |
| Art. 5(1)(c) | Data minimisation - excessive technical data retained and exposed |
| Art. 8 | Children's consent - no age verification or parental consent mechanism |
| Art. 13/14 | Transparency - controller actively misrepresented its legal obligations |
If you have ever registered on topeaglerservers.com, your email address and account data were exposed.
Be suspicious of any email referencing TopEaglerServers, Eaglercraft, or your username. Your email is now in the public domain.
If you reuse the same password on other accounts that share this email, change them immediately.
Request access to or deletion of your data at contact@topeaglerservers.com.
Submit your own complaint at ico.org.uk/make-a-complaint. More complaints means stronger regulatory pressure.
Most affected users have not been told anything. If you know someone who uses the platform, send them this link.
Join our server for live updates, new findings, and to connect with others affected by this breach.
This disclosure and investigation would not have been possible without the following - who gave their time to ensure 27,611 people were not left in the dark.
For discovering the vulnerability, disclosing it responsibly, and having the integrity to ensure it was taken further when the platform refused to act. The entire process started here.
For helping spread awareness of this breach across Discord communities and ensuring affected users were reached directly.
For helping spread awareness of this breach across Discord communities and ensuring affected users were reached directly.
For compiling and submitting the formal ICO complaint, ensuring the Controller's inaction is on regulatory record, and broadcasting the disclosure widely.
For independently identifying vulnerabilities and working on the site - more to come soon.
For documenting the breach, evidence, and timeline - ensuring everything was recorded accurately for the public record and the ICO complaint.