Over 1.1 million accounts managed by the retro gaming website Emuparadise were exposed in a newly reported breach that actually took place back on April 1, 2018.
Researcher Troy Hunt added Emuparadise to his “Have I Been Pwned?” data breach reference website yesterday, crediting the operators of hacked-database search engine DeHashed with supplying the compromised data.
The breach impacted 1,131,229 accounts and involved stolen email addresses, IP addresses, usernames and passwords stored as salted MD5 hashes. Because the MD5 algorithm is no longer considered sufficient for protecting passwords, affected users will want to make sure they are not using the same credentials across other web services.
“It’s been well understood that MD5 is insecure for more than a decade, and its weaknesses have been actively exploited,” said Tim Erlin, VP, product management and strategy at Tripwire. “The problem is that there are so many legacy systems out there following the modernized adage: ‘If it ain’t down, don’t touch it.’ Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we’ll continue to see” MD5 persist, he added.
A separate June 8 tweet from Have I been Pwned? disclosed that the breach took place through Emuparadise’s vBulletin forum. (vBulletin is a popular brand of internet forum software.) The Twitter post also noted that 71 percent of addresses affected by the breach were previously entered into Hunt’s website due to other past incidents.
Emuparadise used to host ROMs for emulating old video games developed for popular consoles from companies like Atari, Nintendo and Sega. Due to legal concerns, the site’s operators recently removed all of the ROMs and essentially became a fan appreciation hangout instead.
SC Media did not find a breach notification on the Emuparadise website, emuparadise.me. However, several reports pointed to Emuparadise’s online forum, where an administrator with the user name “Cookie Monster” claimed that company forced a credentials reset in April 2018 after the incident took place, but never publicly acknowledged the breach.
SC Media has reached out to Emuparadise for comment.