NationStates Data Breach Due to Exploited Vulnerability

First reported

02.02.2026 12:05

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

NationStates, a multiplayer browser-based game, confirmed a data breach after an unauthorized user exploited a critical vulnerability in its application code. The breach occurred on January 27, 2026, when a player discovered and tested a bug, gaining remote code execution (RCE) on the main production server. The attacker copied user data, including email addresses, MD5 password hashes, IP addresses, and browser UserAgent strings. The site was taken offline for investigation and is expected to be back within two to five days. The breach stemmed from a flaw in the 'Dispatch Search' feature, introduced on September 2, 2025. The attacker chained together insufficient sanitization of user-supplied input with a double-parsing bug, resulting in RCE. The site is being rebuilt on new hardware, and security audits and enhancements are being conducted.

Timeline

02.02.2026 12:05 1 articles · 23h ago

NationStates Data Breach Confirmed and Site Taken Offline
On January 27, 2026, NationStates confirmed a data breach after an unauthorized user exploited a critical vulnerability in its application code. The attacker gained remote code execution (RCE) on the main production server, copying user data. The site was taken offline for investigation and is expected to be back within two to five days. The site is being rebuilt on new hardware, and security audits and enhancements are being conducted.
Show sources

NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05
Open in new tab

Information Snippets

NationStates confirmed a data breach on January 27, 2026, after an unauthorized user exploited a critical vulnerability in its application code.
First reported: 02.02.2026 12:05

1 source, 1 article
Show sources
- NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05
The attacker gained remote code execution (RCE) on the main production server, copying user data including email addresses, MD5 password hashes, IP addresses, and browser UserAgent strings.
First reported: 02.02.2026 12:05

1 source, 1 article
Show sources
- NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05
The breach originated from a flaw in the 'Dispatch Search' feature, introduced on September 2, 2025, due to insufficient sanitization of user-supplied input and a double-parsing bug.
First reported: 02.02.2026 12:05

1 source, 1 article
Show sources
- NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05
The site was taken offline for investigation and is expected to be back within two to five days.
First reported: 02.02.2026 12:05

1 source, 1 article
Show sources
- NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05
The site is being rebuilt on new hardware, and security audits and enhancements are being conducted.
First reported: 02.02.2026 12:05

1 source, 1 article
Show sources
- NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05

Summary

Timeline

NationStates Data Breach Confirmed and Site Taken Offline

Information Snippets