A long-running online nation simulation game has been taken temporarily offline following a security breach that compromised its central production server.
The team estimates the downtime will last 2 to 5 days as they rebuild core infrastructure and audit the codebase for additional issues.
According to an official disclosure posted on 30 January 2026 at 2:15 am UTC, the incident began around 10 pm UTC on 27 January 2026, when a player reported a critical vulnerability in the site’s application code.
While testing the flaw, the player gained access to NationStates’ primary production server and began copying application code and user data to a personal system.
The Attacker and Authorization Issues
The player is a long-time community member with a track record of responsibly reporting bugs and vulnerabilities since 2021, and previously earned a Bug Hunter badge for those contributions.
However, in this case, they exceeded authorized testing boundaries and moved from responsible disclosure into unauthorized access.
Although the player claims to have deleted all copied data after realizing the extent of the breach, NationStates states it has no way to verify this and is treating both the system and the data as fully compromised.
Exposed data includes email addresses (including historical addresses tied to the account), MD5-hashed passwords, IP addresses used for logins, and browser User-Agent strings.
NationStates emphasized that it does not collect real names, physical addresses, phone numbers, or payment card data.
While the attacker did not gain direct server access to the Telegram system, they did exploit access to it. They attempted to copy part of its data, leading the team to assume some message content may have been exposed.
The root cause was traced to a new Dispatch Search feature introduced on 2 September 2025.
The vulnerability combined insufficient sanitization of user-supplied parameters with a double-parsing bug, ultimately enabling remote code execution (RCE) on the server.
In response, NationStates is notifying users and relevant regulators, rebuilding on new hardware, auditing its software for similar flaws, and hardening template parsing code.
Accelerating a long-planned upgrade from MD5 to a modern password hashing algorithm. All national passwords are being treated as compromised.
Users who reused their NationStates password on other services are urged to change those credentials immediately and plan to reset their NationStates password once the site reopens.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
