UPDATE ON NS OUTAGE
Detailed Data Breach Notice
Posted: 2:15am 30 Jan 2026 UTC
Overview
At about 10pm UTC on January 27, 2026, we received a report from a player who had discovered a critical bug in our application code. While testing this bug, the player gained access to our main production server and begun copying application code and user data to his personal system.
This player has a history of contributing about a dozen bug & vulnerability reports to NationStates since 2021, particularly over the last six months. He is not a member of staff and was never granted permission for server entry or any privileged access. His nation has been previously credited with a Bug Hunter badge, which is an initiative that rewards players for reporting bugs & site vulnerabilites for us to fix.
In his report, the player apologized for exceeding authorized testing boundaries, and claimed he deleted all copied data when he realized what he'd taken. We have no way of confirming this. We consider both the system and the data compromised as the result of an attack.
What Was Exposed
Data that was accessed contains:
- email addresses: including email addresses associated with the account in the past
- passwords: stored as MD5 hashes, which is an old protocol that is obsolete by modern standards, and inadequate to prevent decryption in an event like this, where an attacker could have an offline copy of the data
- IP addresses used to log in
- browser UserAgent strings used to log in
NationStates doesn't collect real names, addresses, phone numbers, or credit card information.
When the site is online, you can use the following page to see the exact data we store for your nation:
https://www.nationstates.net/page=private_info
The player did not gain entry to the server holding telegrams data, but did exploit access to it, and made an attempt to copy a portion of its data. We consider it likely that some contents were exposed.
The Bug
The vulnerability came from a new feature, Dispatch Search, which was implemented on Sep 2, 2025. The player was able to gain remote command execution (RCE) through a combination of a failure to sanitize user-supplied parameters with a double-parsing bug.
What We're Doing Right Now
- Reporting Obligations: We are making users and relevant government authorities aware of the breach.
- Server Rebuild: Since the production server must be considered compromised, we are completely rebuilding on new hardware.
- Software Audit: We are inspecting our code for any similar vulnerabilities.
- Hardening Systems: We are rewriting template parsing code to ensure that any similar bugs can't lead to the same outcome in the future.
- Upgrading Password Security: We are immediately implementing a project that had been awaiting approval to replace the password hashing algorithm with a stronger modern protocol.
- Developing Reopening Plan: We're figuring out how & when we can reopen.
What Will Happen Next
For nations with registered email addresses, you will be able to reset your password once the site reopens. We are still investigating the correct way to manage access to other nations.
