Old database dump from Nexus Mods circulating in criminal circles: Change password

Fallout 4
Credit: Robert Couse-Baker

If you use mods for Fallout 4, Skyrim or over 200 other games, then you might want to change your password as a Nexus Mods' database dump from 2013 is circulating in 'criminal circles;' some gamers who reused passwords reported other accounts are also being breached.

Nexus Mods, a gaming site which has mods for 216 games, warned users about a “potential database breach” after a Reddit user was alerted by REN-ISAC that a “large number of student users had their credentials breached for nexusmods.com.”

Old database breach bites Nexus Mods again Nexus Mods

A Reddit gamer, who works for a higher education institute, posted a copy of the email notifying users about the compromised credentials.

REN-ISAC, which stands for Research and Education Networking Information Sharing and Analysis Center, wrote:

The trusted party is not able to share associated passwords, hashes, or other information because of PII concerns of their attorneys. The ONLY information being made available is the account names. It will not be possible to determine if associated passwords meet your local complexity requirements.

The trusted party states that “.nexusmods.com does not do any password complexity enforcement other than it is between 3 and 32 characters,” wrote REN-ISAC before adding that the emails and passwords “are out on the Internet in criminal circles.”

Although other gamers took to Reddit to confirm receiving an email from Ohio State University about the Nexus breach, other users from other universities said they had also received breach notifications.

After the Nexus Mod breach PSA, one Reddit user claimed his PSN account was compromised, with the attacker changing the password as it was the same password used on Nexus. Another Redditor received an email from EA/Origin asking if a password reset had been requested; yet another reported someone had attempted to access his Humble Bundle and Blizzard accounts.

Nexus founder Robin Scott, aka DarkOne, recommended for users to change their passwords in the first announcement about the breach. Although he said all passwords stored the database were “hashed and salted,” he provided no additional details. Not all hashed and salted passwords are equally secure and some methods are easier to crack. At the time of the compromise, the Nexus password policy did not include a required number or special character, and a password could contain only three characters. Scott said Nexus Mods intends to get its entire network – not just Premium Member payment pages – served via an encrypted SSL connection and it will start supporting two-factor authentication.

Not even a month ago, Nexus Mods proudly announced that due to the release of Fallout 4 it had over 10 million registered members.

Fallout 4 mods at Nexus Mods Nexus Mods

Scott initially said the potential breach details were “too ambiguous to draw any concrete conclusions,” but ironically it was the tampering of three Fallout 4 files that made him “suspicious.” The Fallout 4 files had changes to a .dll file, “dsound.dll,” and the modders said they hadn’t made the changes. Those three Fallout 4 mods were “BetterBuild (downloads from 29th November), Higher Settlement Budget (downloads from 5th December), and Rename Dogmeat (downloads from 4th December).”

It’s not the first time the site has suffered security issues as Scott referenced one database breach from several years ago. In 2014, a Nexus Mods’ staff account was compromised and the attacker removed popular mods and replaced them with malware-infested versions. Back in March 2013, a user on the Skyrim subreddit warned that Skyrim Nexus might be compromised as “skyrim_nexus.exe” could infect users’ systems with ransomware known as FBI Moneypak Virus; other Nexus users claimed the Nexus Mod Manager wasn’t the only infected file on the site. Back in 2011, users on a couple different gaming forums also reported Nexus Mods serving up a “highly aggressive” Trojan.

Two days ago, Scott updated Nexus modders and users about the database breach; he said, “the database dump is ‘old, with the last member in the database having registered on July 22nd 2013.” Still, Nexus Mods reportedly had 5 million users as of January 2013. Scott added, “The database dump isn't a complete database rip. The dump contains user IDs, usernames, email addresses, hashes and salts, and that's it.”

Scott wrote:

If you've updated your password since July 2013, your account on the Nexus sites should be safe and secure, as they will not have your new hashes/salts/password information. If you have not updated your password recently, please do so now as I am now personally confident that there have been no recent breaches of our network or databases. Similarly, if you still use the password you were using in July 2013, or before that date, on any other sites or services you should update them immediately.

As for compromised accounts, Scott said two of the modders with compromised accounts had used “extremely simple passwords. Passwords that would take a simple cracker mere seconds to crack.”

Unfortunately, Nexus Mods did not send out breach notifications – perhaps because it is from a previous time when its database was compromised; it also is not forcing users to change their passwords as they may no longer have access to the email used when registering a user account, Scott explained.

For now, Nexus Mods is working on a system which will alert users of potential breaches via “site-wide alerts and notifications;” it also upped its IP address logging to better spot suspicious account activity. Besides 2FA, future security changes also include “transitioning away from account security being controlled via the forums to account security being controlled via our own custom coded systems. Not only will this mean you no longer need to visit the forums to change your details, but it will also allow us to implement much stronger encryption of user data.” That way, Scott claimed, “Even if the worst were to happen and another dump was released to the public, we'd make it absolute hell for anyone looking to crack the data.”

That last little bit might imply the previously dumped hashed and salted passwords are not of the most uncrackable algorithm variety. If you were once active on a site like Nexus, but no longer are and therefore won’t get notified of a potential hack because you don’t log in, then I highly suggest keeping an eye on Have I Been Pwned to see if any of your email addresses are associated with breached accounts or paste dumps.

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies