Website security specialists reported a data breach incident at Emuparadise, a videogame discussion forum that used to work as an emulator web portal, which affects over a million accounts from the website forums. The news even appears in Have I Been Pwned, a platform that verifies the security status of the websites, which has also confirmed the incident.
According to the operators of Have
I Been Pwned, the data breach has exposed details of the users of the
platform, such as usernames, email addresses, passwords and IP addresses
associated to users. While the passwords were secured by Emuparadise, the
administrators used the MD5 algorithm, considered unsafe even by its creators,
so, according to website security specialists, any threat actor with enough
skills to break with the encryption of a password with hashing could easily access
the information. “Keep using the same password after this incident could
leave the user in a compromising situation”, consider the experts.
Apparently, Emuparadise did not adequately
inform its users about the incident, and multiple users claim that, in fact,
the website never notified them of the data breach. Other versions say that
only the moderators of the forum were informed about the incident after its
discovery.
On the other hand, the administrators of the
website mentioned: “We do not
disclose the incident to the public, but we force a password reset; in fact,
this is a security policy on the website that we carry out a couple of times a
year”. Despite the stance of the forum administrators, website security specialists
consider that a data breach incident should be disclosed to the public as soon
as the compromised website or service detects the violation.
This is only one of the drawbacks that
Emuparadise administrators have faced. Last August, the website announced that
it would cease to function as a host of videogame emulators and ROMs (which was
its original function) to prevent the companies owning the games, such as Nintendo,
from trying to shut them down.
According
to the specialists from the International Institute of Cyber Security (IICS),
no more details about the incident due to the hermetic policy of the website
operators. In the next few hours some of the forum moderators are expected to
publish more information.
