NationStates confirms data breach after player gained unauthorized server access

NationStates, a multiplayer browser-based political simulation game, has confirmed a data breach after taking its website offline this week to investigate a security incident that exposed user data and application source code.

The breach occurred on Jan. 27, 2026, at around 10 p.m. UTC, when an unauthorized individual gained access to the game’s main production server. The intruder copied user information and internal code after exploiting a critical vulnerability in the platform, prompting operators to shut down the site and begin a full system rebuild.

NationStates is an online government simulation game created by author Max Barry and inspired by his novel Jennifer Government. The game allows players to run virtual nations and interact through in-game political, economic, and social systems.

The security incident began after a player reported a flaw in the application code tied to a relatively new feature called Dispatch Search, which was introduced in September 2025. While investigating the issue, the player exceeded authorized limits and chained multiple weaknesses to achieve remote code execution on the production server. The vulnerabilities included insufficient sanitization of user-supplied input combined with a double-parsing flaw in the site’s template processing logic.

The individual involved was not a staff member and had never been granted privileged access to NationStates’ servers. The player had previously submitted numerous legitimate bug and vulnerability reports over several years and had been recognized through the site’s Bug Hunter program, which encourages responsible disclosure. Despite this history, administrators said the player went beyond confirming the existence of the flaw and directly accessed the server, copying data to a personal system.

Although the player later apologized and claimed the copied data was deleted, NationStates stated it has no way to verify that assertion and is treating both the server and the exposed data as compromised.

The breach exposed multiple categories of user information. Compromised data includes current and historical email addresses associated with accounts, passwords stored as MD5 hashes, IP addresses used during login, and browser user-agent strings. Administrators also warned that portions of private in-game telegrams, which function as a direct messaging system between players, were likely exposed after the attacker attempted to copy data from a related system.

NationStates said it does not collect real names, physical addresses, phone numbers, or payment card information, and such data was therefore not involved in the incident.

The use of MD5 hashing for password storage significantly increased the risk associated with the breach. MD5 is considered obsolete and inadequate under modern security standards, particularly in scenarios where attackers may obtain offline copies of password hashes.

In response, NationStates has reported the incident to relevant government authorities and is rebuilding its production environment on new hardware. The company is conducting a comprehensive security audit, rewriting affected code paths, and upgrading its password storage to a stronger, modern hashing algorithm.

The site is expected to remain offline for an estimated two to five days. Once service is restored, users with registered email addresses will be able to reset their passwords and review the data associated with their accounts. Administrators have advised players to change passwords on any other services where the same credentials were reused.

NationStates described the incident as the most serious security event in the game’s history and said it is prioritizing long-term security improvements as part of the recovery process.