Breach, Threat Management, Data Security

Paradise lost: 1.1 million accounts exposed in 2018 breach of gaming site Emuparadise

Over 1.1 million accounts managed by the retro gaming website Emuparadise were exposed in a newly reported breach that actually took place back on April 1, 2018.

Researcher Troy Hunt added Emuparadise to his "Have I Been Pwned?" data breach reference website yesterday, crediting the operators of hacked-database search engine DeHashed with supplying the compromised data.

The breach impacted 1,131,229 accounts and involved stolen email addresses, IP addresses, usernames and passwords stored as salted MD5 hashes. Because the MD5 algorithm is no longer considered sufficient for protecting passwords, affected users will want to make sure they are not using the same credentials across other web services.

"It's been well understood that MD5 is insecure for more than a decade, and its weaknesses have been actively exploited," said Tim Erlin, VP, product management and strategy at Tripwire. "The problem is that there are so many legacy systems out there following the modernized adage: 'If it ain't down, don't touch it.' Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we'll continue to see" MD5 persist, he added.

A separate June 8 tweet from Have I been Pwned? disclosed that the breach took place through Emuparadise's vBulletin forum. (vBulletin is a popular brand of internet forum software.) The Twitter post also noted that 71 percent of addresses affected by the breach were previously entered into Hunt's website due to other past incidents.

Emuparadise used to host ROMs for emulating old video games developed for popular consoles from companies like Atari, Nintendo and Sega. Due to legal concerns, the site's operators recently removed all of the ROMs and essentially became a fan appreciation hangout instead.

SC Media did not find a breach notification on the Emuparadise website, However, several reports pointed to Emuparadise's online forum, where an administrator with the user name "Cookie Monster" claimed that company forced a credentials reset in April 2018 after the incident took place, but never publicly acknowledged the breach.

SC Media has reached out to Emuparadise for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.