It’s not directly related to the subsequent announcement that the Seattle-based company will shut down the social gaming platform June 1, after 10 years in business. In messages to GeekWire, a person familiar with the incident expressed concern that Rec Room has never proactively notified users whose phone numbers and user identities were linked through the brute-force attack — leaving them unaware of the situation and vulnerable to harassment, phishing, or other attacks, especially as the platform shuts down. Responding to our inquiries about the incident, the company acknowledged that it learned in January that an individual was running a high volume of queries against its friend-finder API.

After discovering this, the company said, it disabled the feature and banned the user. Rec Room said it engaged an outside legal and forensics firm to conduct a review, which concluded that disabling the API was sufficient and no regulatory notification was required. The feature only returned a username when matched with a phone number or email, Rec Room said, and did not expose additional account information or credentials.

“We take user safety and security seriously and have robust measures in place to protect user data,” a Rec Room spokesperson said in a follow-up statement, adding that the company “reviewed our privacy settings and confirmed they’re working as intended.” What happened: The incident didn’t involve someone breaking into Rec Room’s servers or accessing its database directly. Instead, it happened through the platform’s friend-finder feature, which let players upload their phone contacts to see which of their friends were already on the platform. Under the hood, the system accepted a phone number and returned a Rec Room username if there was a match.

The feature was designed for individual users checking their personal contacts. However, the system had no apparent safeguards to prevent someone from querying it at a massive scale. That’s what happened in January, according to the person familiar with the matter.

Someone systematically ran all US and Canadian phone numbers through the system, collecting every hit. The result, the person said, was a database of nearly 279,000 records. The database was subsequently sold to others, according to the person familiar with the incident, who said the system used to distribute it was itself not secure, potentially making it accessible to a wider audience.

Rec Room’s response: Asked about the size of the database, Rec Room said it did not recognize the number provided by the source, but did not offer its own count of affected users. Without additional information, it’s unclear if the company has determined the size of the assembled database or the full scope of the incident. Rec Room said no phone numbers or emails were acquired directly from the company.

Responding to a user question about the incident in the company’s Discord server on Feb. 19, a Rec Room staffer said the platform had previously allowed users to find friends by searching their contacts, and that some users were “abusing this functionality at scale.” The message said the feature had been disabled “out of an abundance of caution.” Why it matters now: The company has not proactively notified affected users. Rec Room said its support team has been responding to players who’ve contacted the company after receiving unsolicited texts that were apparently connected to the assembled database.

With the platform now scheduled to shut down June 1, the window for proactive notification is closing. After that date, Rec Room will no longer have an in-app channel to reach its players. Rec Room’s shutdown itself could increase the risk.

An attacker with the database could use the closure to craft convincing phishing messages — for example, a text or email impersonating Rec Room and urging players to click a link to export their data before the platform goes dark. The shutdown would give such a message built-in plausibility. Phone numbers can also be used to find real names and home addresses through publicly available records, or to attempt SIM swapping, in which an attacker takes over a victim’s phone number to intercept calls, texts, and authentication codes. Users