by Max Barry

Latest Forum Topics


NationStatesNationStates News RSS

News Archive: 2021202020192018201720162015201420132012201120102009200820072006200520042003

Data Leak!

by Max Barry
Sun, 01 Mar 2015

Some bad news: Yesterday we discovered that some private player data, including email addresses and password hashes, were inadvertently exposed to the internet.

Who is affected?

3,325 nations. This is 0.08% of the total, so you are extremely unlikely to be one of them. But please use this Data Leak Checker to make sure.

Additionally, some telegrams sent to these nations by 3,460 other nations were exposed. In these cases, no personal information was revealed, only the telegram contents.

What happened?

In late September last year, our backup disk started playing up, continually disconnecting from and reconnecting to its server. The disk was replaced on October 7. From our investigations so far, it appears that shortly before this, the disk corrupted two Daily Dump archive files in such a way that these files contained the wrong data.

This only affected two files as they were being copied into the long-term Daily Dump Archive. The regular Daily Dump files, which are regularly downloaded by third-party sites, were never corrupted and didn't expose any private data. But the archived version, which is made available for public access, did.

What do I need to do?

If your nation is one of the 3,325 affected, and you haven't changed its password since October 2014, you should immediately do so. If you use the same combination of email address and password on other sites, immediately change it there as well.

Only (encrypted) password hashes were exposed, not plaintext passwords. However, you should still change your password if it was exposed, because hashes aren't impervious to brute-force cracking by an attacker who has your data offline, especially if your password contains dictionary words.

What was exposed?

For the 3,325 affected nations, the exposed personal information was email addresses (where provided), password hashes (not plaintext passwords), IP addresses, and web browser UserAgent strings. Non-personal information included a wide range of internal nation data such as region name and internal variables. In many cases, especially for older nations that ceased to exist prior to the introduction of the new telegram system in February 2013, their stored telegrams were also exposed (up to 20). The great majority of these were recruitment messages.

We do not store credit card information, real names, addresses, phone numbers, or any other personal data.

What is being done about it?

The bad hardware was replaced in October last year. We took the new disk offline and performed a full integrity check on it. We continue to check our systems to make sure there has been no wider exposure. We have created a Data Leak Checker Tool to verify whether any of your data was exposed, including telegrams sent to exposed nations. We are emailing everyone whose nation was affected and who supplied an email address for that nation.

I'm very sorry for this incident. It's a terrible feeling to think your personal information has been leaked. If you have any questions or concerns, please contact us.

Update: There is a discussion thread here.