TopEaglerServers' Data Breach

View some of the proof, here. (For the time being).
As you may know by now, TES has had a data breach. This website explains how, when, and what happened.
Brought to you by Snelsterendier.

View their Privacy Policy at the time of the breach.
View their Terms Of Service at the time of the breach.

Visit Discord for real-time updates and proof.

Hello everyone, I am snelsterendier.
I want to inform all of you about the recent data breach at TES. You probably came across this site via one of our Discord announcements.
On 7 March 2026, I discovered that TES had left its entire database publicly accessible. No hacking was required only a free account and access to exposed API endpoints.
I immediately reported this to the team. A staff member (Josh) acknowledged the issue and claimed a fix was deployed, but the vulnerability remained accessible. No users were notified.
Under GDPR, organizations have 72 hours to report breaches. TES failed to do so, so we are informing users ourselves.

The Breach

TES exposed administrative API endpoints without authentication:

/admin/users - 27,611 user records (emails, usernames, account data)
/admin/servers - 20,564 server records (ports, Docker IDs, usage stats)
/admin/config - internal system configuration

Additionally, internal directories were accessible via SFTP, exposing server infrastructure.

What Was Exposed

Email addresses
Usernames and account IDs
Credit balances
Server infrastructure data
Account activity timestamps
Internal configuration and JVM settings

Impact

A total of 27,611 users were exposed, including over 5,800 school email domains, indicating likely exposure of children's data.

Timeline

7 March 2026: Breach discovered and reported
7 March 2026: Acknowledged by TES staff
7 March 2026: Claimed fix (ineffective)
10 March 2026: 72-hour deadline missed
10 March 2026: ICO complaint filed by Snugent120

Legal Issues

TES failed to comply with GDPR obligations, including:

No access control (security failure)
No breach notification within 72 hours
No user notification
Failure to protect children's data

What You Should Do

Watch for phishing emails
Change reused passwords
Request deletion of your data
File a complaint with the ICO
Inform others who may be affected

Action Taken

A formal complaint has been submitted to the Information Commissioner's Office (ICO) by Snugent120. Since TES failed to notify users, we are spreading awareness ourselves.

CREDITS:

Snelsterendier - Vulnerability finder and organizer
Colbster937 - Broadcaster
Eclipse - Broadcaster
Snugent120 - Legal and Broadcaster
DataDecay - Documentator
Malindiboys - Documentator