Gaming News

Star Citizen website security hole exposes data. Fan created script to fetch/extract “true” numbers: 510k backer accounts, of whom 60k have spent $1k+

Content of the article: "Star Citizen website security hole exposes data. Fan created script to fetch/extract “true” numbers: 510k backer accounts, of whom 60k have spent $1k+"

Posted by Redditor NightNord on the Star Citizen subreddit here, all credit goes to them for their investigative work.

So, long story short – I have a script that fetches number of citizens, backers, concierge and staff members (with potential to gather all sorts of information like subscribers, ETF members, etc) every day since 1st of August

Here are the results:

Here are the scripts, so you can check them by yourself: I assume that if you want to use the scripts, you can figure it out by yourself – you need to make the config.json file and provide the _rsi_device, Rsi-Token cookie values (after logging in), as well as your browser's user-agent. Word of advice – use a temp account

WTH am I looking at? Where that data comes from?

The data comes from what I consider to be a spectrum security hole.

Essentially, when you register on the RSI website, at least since the latest login procedure change and further spectrum/game-chat integration, your new account is immediately registered on the Spectrum as well (considering they are using the same token cookie for the primary auth, I would assume that they are using the same account database as well) – you can easily check that by registering a new account with fake email. You don't need to activate it, it's available with user search in Spectrum immediately

The new account registration is also added to the "Star Citizen" organization – essentially the main spectrum page is just an organization page, but you can't join or leave the "Star Citizen" organization – you are added there automatically. But it is an organization and as any organization it has the member list (you may see one if you have your organization) – and while you can't access it via UI, you can send the request similar to the one an ordinary organization will send, but with the id of the "Star Citizen" organization (1)

As far as I can tell, by random tests of creating new accounts – it seems to have all new accounts. It may lack some older accounts that have never logged in after the migration, if they have some sort of lazy migration process. In either case, it seems that any newly registered or logged in account should be in that database as the game is now using the same database, so you wouldn't be able to login into the game if you wouldn't be there.

The "concierge", "staff", etc information comes from spectrum permissions (access to the concierge forum, subscriber forum, "staff" plaque, etc) that are for some reason reported for every member (and every org of that member, although you can't see the details of orgs you are not part of)

How valid is the data?

It's what spectrum reports and it seems to be consistent with the tests. But it's also spectrum and a product of Turbulent – and some users have very peculiar accounts (like some guy have no handle at all), so there are definitely some issues. It might be that this member system is just buggy

There is another system that could be used to enumerate users – the autocomplete service, the new (spectrum-based) and the old one. I've used the old one in 2017 for a similar task, but unrelated reasons and found similar results (there was a significant difference, but not that significant ~2x, although my memory is fuzzy about it and I have only the results, not the entire list). Yet as it will take several days to enumerate every account (and it will be a lot more complex process) and I'd rather not do it unless there is a clear example of mismatch between data reported (as in – an account known to exist is not present in the resulting member database)

How can it be tested?

Here is the member database from the last script run ( (150Mb). You can look for yourself and other known accounts in it and see if you can find them. I am publishing that database as anyone can get one with scripts published anyway

Why there are just 600k registrations when the official number is 3 million+? What is the "difference"? Why is it increasing?

Frankly speaking – I don't know. I had several theories:

  1. The difference comes from removed inactive (invalid email) accounts and possibly from some legacy accounts not being converted to the new spectrum database. That's what "difference" was meant to confirm – it's counting the difference between official citizen number and reported number of account registrations, assuming that by the 1st of August both counters were representing the same amount of active users, with difference being said reasons.But if that would actually be the case, the difference wouldn't raise daily as it does. So I doubt that theory is correct
  2. It's a number of "game copies sold". Basically assuming that "CIG can't be that incompetent to just fake it" – if you count every SC and SQ42 copy sold as a "citizen" you'll get the same metric AAA games report when bragging about sales, even if all those copies are owned by smaller number of people. That would mean that on average every backer owns ~6 copies, which isn't that far-fetched.I've made another script ( to test this theory – I was buying Aurora packages with SC included and was checking the official reported number and number of registrations. There seems to be no correlation at all
  3. It's a fake "projection" that simply ticks every of often – that seems to be the case looking at what the script above reports, but honestly that would be criminally stupid even for CIG

So, again, I have no idea what this number means, but it's clearly not the number of registrations or any stable bias of it

Ok, but what does it mean?

Strictly speaking – nothing. We have no proof of any malice on CIG side and frankly I never considered the citizen counter to be an anywhere important number. Concurrent users, unique daily, weekly, monthly and yearly users are a lot more important metrics for an MMO than the number of registrations

But considering that recently CR have claimed they are going to reach 1m yearly unique users, that rises questions on how it's possible if they apparently don't have a million registered accounts even

In either case, this was meant to disprove the weird theory some people had during the 300 m milestone that apparently CIG does get most of its money now from new game sales and not big spender pledges, hence no need to acknowledge the milestone as it's "business model as intended" mostly now. Well, if we only have 600k registrations and a significant chunk of them are concierge, and 10-20 backers become concierge every day – that's clearly not the case

At this moment, the official Star Citizen website says:

  • Star Citizens = 2,796,311
  • Funds Raised = $313,198,570
Read:  Is there a simple and active MMORPG with no overcomplicated character creation?


Similar Guides

© Post "Star Citizen website security hole exposes data. Fan created script to fetch/extract “true” numbers: 510k backer accounts, of whom 60k have spent $1k+" for game Gaming News.

Top 7 NEW Games of June 2020

Quite a few exciting games are releasing for PC, PS4, Xbox One, and Nintendo in June. Here's what to keep an eye on.

Top 10 NEW Open World Games of 2020

Video games with open worlds continue to roll out in 2020 on PC, PS4, Xbox One, Nintendo Switch, and beyond. Here are some to look forward to!

Top 10 Best New Upcoming Games 2020-2021

The best selection of games which will be released in 2020 and 2021 for PS4, PS5, Xbox One, Xbox Series X, Google Stadia and PC - and you can watch in amazing UHD 4K and 60FPS with latest updates about all of the games in this list!

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *