NationStates, a multiplayer browser-based recreation, has confirmed a data breach after taking its web site offline earlier this week to research a security incident.
The federal government simulation recreation, developed by creator Max Barry and loosely primarily based on his novel Jennifer Authorities, disclosed that an unauthorized consumer gained entry to its manufacturing server and copied consumer knowledge.
Vulnerability reporter crossed a line
On January 27, 2026, round 10pm (UTC), NationStates obtained a report from a participant who found a essential vulnerability in its utility code.
Whereas testing the bug, nevertheless, the participant exceeded licensed boundaries and gained distant code execution (RCE) on the principle manufacturing server, permitting him to repeat utility code and consumer knowledge to his personal system.
“This participant has a historical past of contributing a couple of dozen bug & vulnerability stories to NationStates since 2021, significantly over the past six months. He’s not a member of employees and was by no means granted permission for server entry or any privileged entry,” wrote Barry in a data breach discover up to date January thirtieth.
“His nation has been beforehand credited with a Bug Hunter badge, which is an initiative that rewards gamers for reporting bugs & web site vulnerabilites for us to repair.”
Though the person later apologized and claimed the info was deleted, the positioning has no solution to confirm this and is subsequently treating each the system and the info as compromised.
The breach stemmed from a flaw in a comparatively new characteristic known as “Dispatch Search,” launched on September 2, 2025. NationStates stated the attacker chained collectively inadequate sanitization of user-supplied enter with a double-parsing bug, leading to an RCE.
“It is a essential bug, and the primary time one thing like this has been reported within the web site’s historical past. We’re grateful for the report. Sadly, the reporter did not merely verify the bug’s existence, but in addition then went forward and breached the server.”
“As a result of there was unauthorized entry to the server, the one method to make certain it is safe is to fully hose it and rebuild. We additionally want to find out what materials was accessed or copied off the server. This may possible take at the least a number of days,” Barry had earlier written, shortly after being made conscious of the info publicity.
Right this moment, in exams by BleepingComputer, the nationstates.web web site was intermittently up, displaying the breach discover, earlier than taking place on the time of writing.
Uncovered knowledge consists of electronic mail addresses, MD5 password hashes
The uncovered knowledge contained:
- E-mail addresses (together with electronic mail addresses related to the account up to now)
- Passwords: saved as MD5 hashes, which is an outdated protocol that’s out of date by fashionable requirements, and insufficient to forestall decryption in an occasion like this, the place an attacker may have an offline copy of the info
- IP addresses used to log in
- browser UserAgent strings used to log in
Telegrams knowledge: “The participant didn’t acquire entry to the server holding telegrams knowledge, however did exploit entry to it, and made an try to repeat a portion of its knowledge. We think about it possible that some contents have been uncovered,” additional warns the data breach discover.
Within the context of the sport, a telegram is an inner non-public messaging system, much like electronic mail or discussion board non-public messages (PMs).
NationStates states that it doesn’t accumulate actual names, bodily addresses, telephone numbers, or bank card info.
The web site is estimated to be again on-line inside two to 5 days. As soon as restored, customers can verify the precise knowledge saved for his or her nation at https://www.nationstates.web/web page=private_info.
Within the meantime, NationStates has reported the incident to authorities authorities, because it focuses on fully rebuilding the manufacturing server on new {hardware}, conducting security audits and enhancements, and upgrading password security.
Fashionable IT infrastructure strikes sooner than guide workflows can deal with.
On this new Tines information, find out how your group can scale back hidden guide delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
