[BreachExchange] Emuparadise gaming emulator website suffers data breach

Mon Jun 10 09:51:23 EDT 2019

https://www.zdnet.com/article/emuparadise-gaming-rom-repository-suffers-data-breach/

Retro gaming website Emuparadise has been involved in a data breach
leading to the exposure of 1.1 million user accounts.

The security incident took place on April 1, 2018, but has only
recently emerged after information from impacted user accounts was
provided to HaveIBeenPwned by dehashed.com.

According to HaveIBeenPwned, 1,131,229 email addresses, IP addresses,
usernames, and passwords were involved in the breach.

Given that the passwords were stored as salted MD5 hashes, it is
reasonable to consider the credentials as lost and easily cracked.

The MD5 algorithm, used to hash passwords, was called "no longer safe"
and end-of-life by its developer in 2012 following the severe LinkedIn
data breach which led to over 6.4 million passwords being leaked --
and decrypted -- in rapid succession.

Emuparadise is a retro gaming forum which used to offer a selection of
ROMs for old games on platforms including Atari, Nintendo, and Sony
PlayStation. ROMs can be played on emulators for gaming consoles and
while emulators are, in themselves, not illegal, sharing copyrighted
ROMs is generally considered so (but there is an argument for fair use
if you are ripping a ROM from a title you own).

In order to stay out of copyright trouble, the website operator
decided to stop hosting ROMs, but the platform remains a popular
outlet for retro gaming fans. Emuparadise' vBulletin forum was
apparently the source of the leak.

As with any data breach, it is sensible to check to see if you are
affected. You can use the HaveIBeenPwned search engine to see if your
account was included, and if so, the credentials used for this service
should not be used anywhere else.

It is best practice to have a unique set of credentials for every
online account you use, as when one set of usernames and passwords is
compromised, this information could then be used to break into other
accounts you own.

ZDNet has reached out to Emuparadise and will update if we hear back.