NationStates data breach

[kuva]

in the off chance anyone here  plays the online game NationStates, the site was breached on Jan 27th, and they've been repairing it since. 
in the statement from the site:

Quote

 

At about 10pm UTC on January 27, 2026, we received a report from a player who had discovered a critical bug in our application code. While testing this bug, the player gained access to our main production server and began copying application code and user data to his personal system.

This player has a history of contributing about a dozen bug & vulnerability reports to NationStates since 2021, particularly over the last six months. He is not a member of staff and was never granted permission for server entry or any privileged access. His nation has been previously credited with a Bug Hunter badge, which is an initiative that rewards players for reporting bugs & site vulnerabilites for us to fix.

In his report, the player apologized for exceeding authorized testing boundaries, and claimed he deleted all copied data when he realized what he'd taken. We have no way of confirming this. We consider both the system and the data compromised as the result of an attack.

What Was Exposed

Data that was accessed contains:

• email addresses: including email addresses associated with the account in the past
• passwords: stored as MD5 hashes, which is an old protocol that is obsolete by modern standards, and inadequate to prevent decryption in an event like this, where an attacker could have an offline copy of the data
• IP addresses used to log in
• browser UserAgent strings used to log in

NationStates doesn't collect real names, addresses, phone numbers, or credit card information.

The player did not gain entry to the server holding telegrams data, but did exploit access to it, and made an attempt to copy a portion of its data. We consider it likely that some contents were exposed.

The Bug

The vulnerability came from a new feature, Dispatch Search, which was implemented on Sep 2, 2025. The player was able to gain remote command execution (RCE) through a combination of a failure to sanitize user-supplied parameters with a double-parsing bug.

What We're Doing Right Now

• Reporting Obligations: We are making users and relevant government authorities aware of the breach.
• Server Rebuild: Since the production server must be considered compromised, we are completely rebuilding on new hardware.
• Software Audit: We are inspecting our code for any similar vulnerabilities.
• Hardening Systems: We are rewriting template parsing code to ensure that any similar bugs can't lead to the same outcome in the future.
• Upgrading Password Security: We are immediately implementing a project that had been awaiting approval to replace the password hashing algorithm with a stronger modern protocol.
• Developing Reopening Plan: We're figuring out how & when we can reopen.

What Will Happen Next

For nations with registered email addresses, you will be able to reset your password once the site reopens. We are still investigating the correct way to manage access to other nations.

What You Should Do

We consider all nation passwords to be compromised. This means that if you reused the same password on NationStates and anywhere else, then it should be immediately changed wherever it is used. We recommend never sharing passwords across multiple sites.

---

 

 

 

[OddOod]

TIL NationStates

[thevictor390]

I played that over 20 years ago.... I can't believe it's still going.

[FAZIN]

29 minutes ago, thevictor390 said:

I played that over 20 years ago.... I can't believe it's still going.

Same but only 10 years ago. Hearing about it makes me want to play it again lol

[Rarity]

now i`m reminded of the game , used to play it last time 

[OhYou_]

i have never heard of this game but one may call that player a "Nation State Hacker" haha 

seeing the words md5 and password next to each other is so scuffed. 
like yeah nah mate nah yeah nah they are basically cleartext, my gpu does brute force on md5 at 22 billion hashes/sec or so. 

[LanerJ]

I went there a couple days ago for the first time in a few months to find that, unlucky that now that I have the time in my day to check it, it goes down ;-; In any case, the email and password were both randomly generated so I at least feel pretty safe...

[thevictor390]

7 minutes ago, OhYou_ said:

i have never heard of this game but one may call that player a "Nation State Hacker" haha 

seeing the words md5 and password next to each other is so scuffed. 
like yeah nah mate nah yeah nah they are basically cleartext, my gpu does brute force on md5 at 22 billion hashes/sec or so. 

The game was put up in the early 2000s so I bet it hasn't changed hashing method ever.

[Avocado Diaboli]

 

While the fact that passwords were stored as MD5 hashes is inexcusable, since it's barely a step up from plain text, I like the frank and open messaging in their statement about what happend and what to expect. Seems like a lot of bigger players could take inspiration from that.

[kuva]

12 hours ago, Avocado Diaboli said:

 

While the fact that passwords were stored as MD5 hashes is inexcusable, since it's barely a step up from plain text, I like the frank and open messaging in their statement about what happend and what to expect. Seems like a lot of bigger players could take inspiration from that.

yeah. from them in regards to using MD5 hashes;
 

Quote

which is an old protocol that is obsolete by modern standards, and inadequate to prevent decryption in an event like this,

at least they're admitting to it. more than can be asked of some other certain sites...

[kuva]

the game is back up.