On January 27, 2026 around 22:00 UTC NationStates took its website offline after an unauthorized user gained remote code execution on its production server and copied user data, in a data breach notice.
KEY FACTS
- Incident Unauthorized access to the production server and data copying
- Date January 27, 2026 around 22:00 UTC
- Exposed data Email addresses, MD5 password hashes, login IPs and browser UserAgent strings
- Cause Remote code execution via insufficient input sanitization and a double parsing bug in Dispatch Search
- Site status Offline while the production server is rebuilt, estimated restoration in two to five days
The disclosure wrote that a player who reported a critical vulnerability on January 27 exceeded authorized testing boundaries, gained RCE and copied application code and user data. The player had contributed about a dozen bug reports since 2021 and had previously received a Bug Hunter badge. The player later apologized and claimed deletion of the copied data but that claim cannot be verified.
The flaw originated in a feature called Dispatch Search added on September 2, 2025. An attacker chained insufficient sanitization of user input with a double parsing bug to achieve remote code execution. Because of the unauthorized entry the production server is being replaced and rebuilt on new hardware.
Exposed account data includes current and past email addresses, MD5 password hashes, login IP addresses and browser UserAgent strings. The game does not collect real names, physical addresses, phone numbers or payment information. Users can check the exact data stored for their account at the private information page.
The disclosure notes the player did not gain entry to the telegrams server but attempted to copy a portion of its data and that some telegram contents were likely exposed. The site estimates it will complete audits security upgrades and a rebuild within two to five days while authorities are notified and an investigation continues.
WHY IT MATTERS
Exposed email addresses and obsolete MD5 password hashes increase the risk that an offline copy of the data could be used for credential cracking and account takeover. Users should expect further updates when the site returns and the investigation concludes.