NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident.

The government simulation game, developed by author Max Barry and loosely based on his novel Jennifer Government, disclosed that an unauthorized user gained access to its production server and copied user data.

Vulnerability reporter crossed a line

On January 27, 2026, around 10pm (UTC), NationStates received a report from a player who discovered a critical vulnerability in its application code.

While testing the bug, however, the player exceeded authorized boundaries and gained remote code execution (RCE) on the main production server, allowing him to copy application code and user data to his own system.

"This player has a history of contributing about a dozen bug & vulnerability reports to NationStates since 2021, particularly over the last six months. He is not a member of staff and was never granted permission for server entry or any privileged access," wrote Barry in a data breach notice updated January 30th.

"His nation has been previously credited with a Bug Hunter badge, which is an initiative that rewards players for reporting bugs & site vulnerabilites for us to fix."

Although the individual later apologized and claimed the data was deleted, the site has no way to verify this and is therefore treating both the system and the data as compromised.

The breach stemmed from a flaw in a relatively new feature called "Dispatch Search," introduced on September 2, 2025. NationStates said the attacker chained together insufficient sanitization of user-supplied input with a double-parsing bug, resulting in an RCE.

"This is a critical bug, and the first time something like this has been reported in the site's history. We're grateful for the report. Unfortunately, the reporter didn't merely confirm the bug's existence, but also then went ahead and breached the server."

"Because there was unauthorized entry to the server, the only way to be sure it's secure is to completely hose it and rebuild. We also need to determine what material was accessed or copied off the server. This will likely take at least a few days," Barry had earlier written, shortly after being made aware of the data exposure.

Today, in tests by BleepingComputer, the nationstates.net site was intermittently up, displaying the breach notice, before going down at the time of writing.

Exposed data includes email addresses, MD5 password hashes

The exposed data contained:

• Email addresses (including email addresses associated with the account in the past)
• Passwords: stored as MD5 hashes, which is an old protocol that is obsolete by modern standards, and inadequate to prevent decryption in an event like this, where an attacker could have an offline copy of the data
• IP addresses used to log in
• browser UserAgent strings used to log in

Telegrams data: "The player did not gain entry to the server holding telegrams data, but did exploit access to it, and made an attempt to copy a portion of its data. We consider it likely that some contents were exposed," further warns the data breach notice.

In the context of the game, a telegram is an internal private messaging system, similar to email or forum private messages (PMs).

NationStates states that it does not collect real names, physical addresses, phone numbers, or credit card information.

The website is estimated to be back online within two to five days. Once restored, users will be able to reset their passwords, and check the exact data stored for their nation at https://www.nationstates.net/page=private_info.

In the meantime, NationStates has reported the incident to government authorities, as it focuses on completely rebuilding the production server on new hardware, conducting security audits and enhancements, and upgrading password security.