Emuparadise, one of the leading retro gaming websites on the net, has revealed it has been involved in a data breach last April 1 of 2018, resulting in the exposure of 1.1 million user accounts.
According to HIBP, 1,131,229 email addresses, IP addresses, usernames, and passwords were affected by the breach. Although the company has managed to hash the passwords, many are still worried, especially with the discovery that they were hashed through the MD5 algorithm, which was declared unsecured and no-longer-safe by its creator way back 2012. This means that decrypting them might not be too hard for hackers.
“We know even less about this breach than most. We know the source of the database, and the fact that it exists, but there are no details about how the incident occurred,” said Tim Erlin, vice president of product management and strategy at Tripwire. “It’s been well understood that MD5 is insecure for more than a decade, and its weaknesses have been actively exploited. Despite these known issues, MD5 has persisted for a long time.”
“It would be extremely rare to see new applications making use of MD5 for secure hashing. The problem is that there are so many legacy systems out there, following the modernized adage ‘if it ain’t down, don’t touch it.’ Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we’ll continue to see this type of persistence.”
As reported by Info Security-Magazine, some of those affected by the data breach said that, over the weekend, they started receiving notices that their accounts had been compromised in a data breach.
“The retro gaming website EmuPardise was breached in April 2018. The vBulletin forum exposed 1.1m email addresses, IP address, usernames and passwords stored as salted MD5 hashes. 71% of addresses were already in @haveibeenpwned,” the company revealed on Twitter.
Emuparadise is a retro gaming forum offering a variety of ROMs for old games, such as Atari, Nintendo, and Sony PlayStation. They can be played on emulators for gaming consoles. However, although emulators are considered legal, sharing copyrighted ROMs is generally considered to be the opposite.
In order to prevent getting into any copyright trouble, Emuparadise decided to stop hosting ROMs. The platform, however, remained to be a popular outlet for retro gaming fans.
As with the data breach, the operators urge everyone to critically check if their account has been affected. Users can use HaveIBeenPwned search engine to see if their account was included in the breach.