Paradise lost: 1.1 million accounts exposed in 2018 breach of gaming site Emuparadise

News by Bradley Barth

The breach impacted 1,131,229 accounts and involved stolen email addresses, IP addresses, usernames and passwords stored as salted MD5 hashes

Over 1.1 million accounts managed by the retro gaming website Emuparadise were exposed in a newly reported breach that actually took place back on 1 April, 2018.

Researcher Troy Hunt added Emuparadise to his "Have I Been Pwned?" data breach reference website this week, crediting the operators of hacked-database search engine DeHashed with supplying the compromised data.

The breach impacted 1,131,229 accounts and involved stolen email addresses, IP addresses, usernames and passwords stored as salted MD5 hashes. Because the MD5 algorithm is no longer considered sufficient for protecting passwords, affected users will want to make sure they are not using the same credentials across other web services.

"It’s been well understood that MD5 is insecure for more than a decade, and its weaknesses have been actively exploited," said Tim Erlin, VP, product management and strategy at Tripwire. "The problem is that there are so many legacy systems out there following the modernised adage: ‘If it ain’t down, don’t touch it.’ Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we’ll continue to see" MD5 persist, he added.

A separate tweet on 8 June from Have I been Pwned? disclosed that the breach took place through Emuparadise’s vBulletin forum. (vBulletin is a popular brand of internet forum software.) The Twitter post also noted that 71 percent of addresses affected by the breach were previously entered into Hunt’s website due to other past incidents.

Emuparadise used to host ROMs for emulating old video games developed for popular consoles from companies like Atari, Nintendo and Sega. Due to legal concerns, the site’s operators recently removed all of the ROMs and essentially became a fan appreciation hangout instead.

SC Media did not find a breach notification on the Emuparadise website, emuparadise.me. However, several reports pointed to Emuparadise’s online forum, where an administrator with the user name "Cookie Monster" claimed that company forced a credentials reset in April 2018 after the incident took place, but never publicly acknowledged the breach.

SC Media has reached out to Emuparadise for comment.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop