NationStates, a multiplayer browser-based recreation, has confirmed an information breach after taking its web site offline earlier this week to research a safety incident.
The federal government simulation recreation, developed by creator Max Barry and loosely primarily based on his novel Jennifer Authorities, disclosed that an unauthorized person gained entry to its manufacturing server and copied person knowledge.
Vulnerability reporter crossed a line
On January 27, 2026, round 10pm (UTC), NationStates obtained a report from a participant who found a important vulnerability in its utility code.
Whereas testing the bug, nevertheless, the participant exceeded approved boundaries and gained distant code execution (RCE) on the primary manufacturing server, permitting them to repeat utility code and person knowledge to his personal system.
“This participant has a historical past of contributing a few dozen bug & vulnerability reviews to NationStates since 2021, notably during the last six months. He’s not a member of employees and was by no means granted permission for server entry or any privileged entry,” wrote Barry in a knowledge breach discover up to date January thirtieth.
“His nation has been beforehand credited with a Bug Hunter badge, which is an initiative that rewards gamers for reporting bugs & web site vulnerabilites for us to repair.”
Though the person later apologized and claimed the information was deleted, the positioning has no approach to confirm this and is subsequently treating each the system and the information as compromised.
The breach stemmed from a flaw in a comparatively new function known as “Dispatch Search,” launched on September 2, 2025. NationStates stated the attacker chained collectively inadequate sanitization of user-supplied enter with a double-parsing bug, leading to an RCE.
“This can be a important bug, and the primary time one thing like this has been reported within the web site’s historical past. We’re grateful for the report. Sadly, the reporter did not merely verify the bug’s existence, but in addition then went forward and breached the server.”
“As a result of there was unauthorized entry to the server, the one means to make sure it is safe is to utterly hose it and rebuild. We additionally want to find out what materials was accessed or copied off the server. It will seemingly take at the least just a few days,” Barry had earlier written, shortly after being made conscious of the information publicity.
At the moment, in exams by BleepingComputer, the nationstates.web web site was intermittently up, displaying the breach discover, earlier than taking place on the time of writing.
Uncovered knowledge contains electronic mail addresses, MD5 password hashes
The uncovered knowledge contained:
- E-mail addresses (together with electronic mail addresses related to the account prior to now)
- Passwords: saved as MD5 hashes, which is an previous protocol that’s out of date by fashionable requirements, and insufficient to forestall decryption in an occasion like this, the place an attacker might have an offline copy of the information
- IP addresses used to log in
- browser UserAgent strings used to log in
NationStates states that it doesn’t gather actual names, bodily addresses, telephone numbers, or bank card data.
As soon as the positioning is restored, customers can examine the precise knowledge saved for his or her nation at https://www.nationstates.web/web page=private_info.
“The participant didn’t achieve entry to the server holding telegrams knowledge, however did exploit entry to it, and made an try to repeat a portion of its knowledge. We think about it seemingly that some contents have been uncovered,” additional warns the information breach discover.
Within the context of the sport, a telegram is an inner non-public messaging system, just like electronic mail or discussion board non-public messages (PMs).
The web site is estimated to be again on-line inside two to 5 days.
Within the meantime, NationStates has reported the incident to authorities authorities, because it focuses on utterly rebuilding the manufacturing server on new {hardware}, conducting safety audits and enhancements, and upgrading password safety.
Fashionable IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, learn the way your crew can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
