NationStates hit by network compromise

Incident

First reported

02.02.2026 12:05

Last updated

02.02.2026 12:05

Happening score

H score 7

1 unique sources, 1 articles

Summary

Hide ▲

The NationStates breach exposed a production server compromise and forced the browser-based game offline, creating risk that copied data could be abused. On January 27, 2026, a player reporting a critical flaw in Dispatch Search exceeded authorized access and reached remote code execution (RCE) on the live server. The unauthorized access let the user copy application code and user data, and the site treated both the system and data as compromised. The exposed records included email addresses, MD5 password hashes, IP addresses, and browser UserAgent strings, while recovery was estimated at two to five days.

Timeline

02.02.2026 12:05 2 articles · 3mo ago

NationStates hit by network compromise

Initial Disclosure
The incident began on **January 27, 2026**, when a player reported a critical **Dispatch Search** flaw. While testing it, the user exceeded authorized access and achieved **RCE** on the main production server.
Show sources

NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05

NationStates confirms data breach, shuts down game site — www.bleepingcomputer.com — 02.02.2026 12:05
Open in new tab