Emuparadise gaming emulator website suffers data breach

Over one million accounts were leaked, and a vulnerable encryption algorithm may have been in play.

The most hacked passwords: Is yours one of them? Your name, your favorite football team and your favourite band: The UK's National Cyber Security Centre has released a list of the 100,000 most common passwords to appear in data breaches. Read more: https://zd.net/2UYNnKP

Retro gaming website Emuparadise has been involved in a data breach leading to the exposure of 1.1 million user accounts.

The security incident took place on April 1, 2018, but has only recently emerged after information from impacted user accounts was provided to HaveIBeenPwned by dehashed.com.

According to HaveIBeenPwned, 1,131,229 email addresses, IP addresses, usernames, and passwords were involved in the breach.

See also: Valve's Steam gaming platform pledges new approach to review bombs

The passwords were stored as salted MD5 hashes.

The MD5 algorithm, used to hash passwords, was called "no longer safe" and end-of-life by its developer in 2012. This statement followed the severe LinkedIn data breach which led to over 6.4 million passwords being leaked -- and decrypted due to SHA-1 -- in rapid succession.

CNET: Here are 6 MacOS Catalina security changes coming from Apple this fall

Emuparadise is a retro gaming forum which used to offer a selection of ROMs for old games on platforms including Atari, Nintendo, and Sony PlayStation. ROMs can be played on emulators for gaming consoles and while emulators are, in themselves, not illegal, sharing copyrighted ROMs is generally considered so (but there is an argument for fair use if you are ripping a ROM from a title you own).

In order to stay out of copyright trouble, the website operator decided to stop hosting ROMs, but the platform remains a popular outlet for retro gaming fans. Emuparadise' vBulletin forum was apparently the source of the leak.

TechRepublic: Seriously, stop using qwerty as a password--enlist these password strategies instead

As with any data breach, it is sensible to check to see if you are affected. You can use the HaveIBeenPwned search engine to see if your account was included, and if so, the credentials used for this service should not be used anywhere else.

It is best practice to have a unique set of credentials for every online account you use, as when one set of usernames and passwords is compromised, this information could then be used to break into other accounts you own.

ZDNet has reached out to Emuparadise and will update if we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0