What happened

Between March 19–22, 2026, Club Escape Cleveland was targeted by an automated credential stuffing attack. Attackers used username and password combinations obtained from data breaches at unrelated third-party websites and ran them against our login system using automated software distributed across 29 different IP addresses.

What "logging in" actually means in this context

While the logs confirm that attacker IP addresses received successful login responses from our server, it is important to understand what that means technically and — more importantly — what it does not mean.

A successful login response in this context simply confirmed to the attacker's script that the username and password combination it submitted was correct. It is the equivalent of a key fitting a lock — it does not mean the door was opened.

Our platform is built so that every page a member can actually see or interact with — their profile, their reservation history, the social platform, their personal information — requires a secondary security validation called a CSRF token. This token is only generated when a real person loads a page through an actual web browser. The automated scripts the attackers were using had no browser, no session, and no way to obtain this token. As a result, they could not access, view, or interact with any member data whatsoever after the login response was received.

This is confirmed by our server logs, which show no post-login activity from any of the attacker IP addresses — no profile pages loaded, no social platform accessed, no account details viewed or changed.

What the attackers actually gained

The practical outcome of this attack was that the attackers built a list of verified working credentials — username and password combinations they now know are valid for Club Escape accounts. They did not see your personal information, your photos, your messages, your reservation history, or any other data stored on our platform.

The risk this creates is not to your Club Escape account specifically — it is to any other website where you may have used the same password. If you reuse passwords across sites, those other accounts may be vulnerable.

What was done to protect you

Upon detecting the attack we took the following immediate steps:

• All member passwords were invalidated and all active sessions terminated
• A Cloudflare rate limiting rule was added capping login attempts per IP address, closing the gap the attackers exploited
• All confirmed attacker IP addresses were blocked
• A clear notification was added to the login page directing members to reset their passwords

What you need to do

• Visit clubescapecleveland.com and use the Forgot Password link to set a new password
• Choose a password that is unique to Club Escape and not used on any other website
• If you have used the same password on any other site, change it there as well

We sincerely apologize for the concern this may cause. If you have any questions please do not hesitate to contact us directly.