TopEaglerServers
HomeBlogs
Free Server
FREE
Add Server
List yours
Login

Eaglercraft Blog

Back to All Articles

Security Notice | Eagler.Host | 7 March 2026

March 10, 2026
4 min read
Eagler.Host Team
securityeagler.hostdata privacy
Breach classification: NON-SENSITIVE·Not a public breach — data remains within trusted sources only·Per standard PII data protection frameworks·Source

This is our official statement regarding a security event that came to our attention on 7 March 2026. We want to give every Eagler.host user a full and accurate account of what occurred, and we are sorry this happened.

A misconfigured API route on our platform was identified and reported to us by security researcher Snelsterendier, working alongside @snugent120. We are grateful for that responsible disclosure. Upon being notified, our team began working on a fix immediately - the route was closed within a very short window of the report being made. This was not something we delayed on.

What was accessible: The exposed endpoint contained low-sensitivity account metadata only - email addresses, last online timestamps, account IDs, server creation counts, and other non-critical platform data. This information is of limited practical value and does not constitute sensitive personal information by any standard classification.

What was NOT accessible, at all:

  • Passwords or password hashes
  • IP addresses
  • Payment information
  • Eagler.host server data or configurations
  • Any hosting infrastructure records

Contrary to the framing of the public disclosure, no critical or sensitive data was ever part of this exposure. Email addresses are widely classified as non-sensitive PII — unlike financial records, biometric data, or government identifiers, their exposure does not constitute a high-risk breach by standard data protection frameworks. [1]

What our logs show: We have conducted a thorough review of our access logs. They indicate that none of the accessible data was publicly distributed - access was limited to trusted, identifiable sources throughout, with no evidence of malicious use or broad public exposure.

We want to address points in the published disclosure that we believe present an incomplete picture. The report does not acknowledge that no critical data was ever involved. It also flags hidden directories - EaglerhostCore and EaglerXServer - as a concern. To be clear: these are hidden for organisational convenience only, not as a security measure. Both are independently protected at the backend level and carried no exploitable risk from being visible in the file manager.

We are not here to dismiss the disclosure - the API misconfiguration was real and we take it seriously. But you deserve an accurate picture, not an alarming one. It is also worth noting that the endpoint was only publicly reachable for a matter of hours before it was brought to our attention and closed — it was not a long-standing open exposure.

All users have been credited a bonus to their account in recognition of the inconvenience. No action is required on your part — however, if you would prefer to remove your data entirely, we have implemented account deletion directly in the Eagler.host dashboard. Deleting your account will permanently wipe all associated data from our systems.

Looking ahead: An independent security audit of Eagler.host was commissioned approximately 36 hours ago and came back clean - no vulnerabilities or further exposure risks were identified. We are also actively engaging cybersecurity contractors to work directly on Eagler.host on an ongoing basis. This was already under consideration, and this event has made it a firm priority.

Additionally, we will be introducing a policy requiring any existing accounts registered with a school or institutional email address to migrate to a personal email. Going forward, sign-ups using detected school email domains will be blocked entirely. We believe this is the right step to better protect younger users on the platform.

Terms of Service update: Our Terms of Service have been updated to reflect United States jurisdiction. The previous version was based on UK law — this has now been aligned with US law, since our infrastructure, operations, and the majority of our user base are US-based. This brings our legal documentation in line with where we actually operate and ensures clearer, more relevant protections for our users.

Geographic access: We are also expanding geographic access restrictions across the platform. Eagler.host will be progressively limited to US-based users, reinforcing our ability to provide consistent service quality, comply with US data protection standards, and offer faster, more reliable support within a single legal jurisdiction. This is a natural extension of where our platform is headed and allows us to focus our resources where they matter most.

We are sorry this happened. You placed your trust in us and we do not take that lightly. If you have any questions or concerns, please reach out to our team directly. This will be our final statement on this matter — we consider the incident fully resolved and do not anticipate issuing further updates unless new information materially changes the picture outlined above.

Eagler.Host Team
Author
Share this article

Want a FREE Eaglercraft server?

Launch yours today with eagler.host — instant setup, 24/7 uptime, plugin support, file manager, backups, and permanent upgrades using credits.

Create Free ServerStart in 30 Seconds