A security flaw in Indonesia’s official game ratings system has resulted in one of the more unusual leaks in recent gaming history, accidentally exposing over an hour of unreleased footage from several upcoming titles, most notably IO Interactive’s James Bond origin story 007: First Light.
How It Happened
The vulnerability was discovered by a Reddit user known as Me_Finity, who was building an alternative frontend for the Indonesian Game Rating System (IGRS) website when they stumbled upon serious security problems. They found that ratings hidden from the public were still accessible by manually typing in a game’s internal ID, an unsecured backend API that left private submission materials publicly accessible.
The Indonesian Game Rating System requires developers to submit gameplay footage showing violence, language, sexual content, and other material relevant to age classification. Developers typically share this footage through private Google Drive links or similar methods. The security flaw made these private submissions accessible to anyone who knew where to look, and more than 1,000 games were affected.
The biggest casualty is 007: First Light. Over an hour of spoiler-filled footage for IO Interactive’s game has been verified as circulating online, including what appears to be the ending of the game. This is a serious blow for a narrative-driven title: the game releases May 27, meaning spoilers are now in the wild more than six weeks before launch.
The leaked footage also includes unreleased content from Bandai Namco‘s Echoes of Aincrad, featuring cutscenes that appear to show significant story moments. Echoes of Aincrad is scheduled for July, making the exposure particularly premature.
Ubisoft’s Assassin’s Creed: Black Flag remake and Konami’s Castlevania: Belmont’s Curse were also part of the leak, though at the time of publishing, no footage for those titles appeared to have circulated online.
Beyond gameplay footage, the more serious long-term concern is that the leak also exposed contact details of high-level developers at major triple-A studios. More than 1,000 developer emails were publicly accessible as a result of the API vulnerability.
Nic McConnell, age ratings manager at Riot Games, addressed the situation publicly. He explained that the IGRS asks developers to submit footage via a private Google Drive link and theorized that some of those links may have been “opened more broadly somehow.” He described the IGRS system as “very much a work in progress” and advised developers to “only share the most relevant submission materials.” McConnell also suggested the team behind the IGRS is small and under-resourced, saying: “My sense is it’s a small group of good folks doing their best.”
A System Already Under Scrutiny
This incident didn’t occur in a vacuum. The IGRS was originally created in 2016 as a voluntary framework for rating locally-made Indonesian games. In 2024, a new regulation made ratings mandatory for all games distributed in Indonesia, with full enforcement kicking in from January 2026, after which unrated games face potential blocking by the Indonesian Ministry of Communication and Digital Affairs.
This is already the IGRS’s second significant slip-up this month. Just the week before, Indonesian game ratings rolled out on Steam with noticeably wrong classifications, games like Call of Duty received a 3+ rating, while family-friendly titles were tagged 18+.
The API vulnerability has since been fixed. However, the footage and emails that were already accessed remain in circulation. If you’re planning to play 007: First Light or Echoes of Aincrad and want to go in fresh, exercise serious caution on social media and gaming forums in the weeks ahead.
