Emuparadise Breach Compromised 1.1 Million Accounts

Credit: ShutterstockCredit: Shutterstock

Emuparadise might want to consider a different name. Have I Been Pwned? (HIBP) revealed that 1.1 million accounts from the site's forums, where people gather to discuss game console emulators, were compromised in a data breach that occurred in April 2018 but wasn't disclosed until June 8.

HIBP said the breach revealed email addresses, IP addresses, usernames and passwords. The good news is that the passwords were hashed. The bad news was that they were hashed using the MD5 algorithm, which its creator declared insecure back in 2012, so it would've been pretty easy for anyone with experience cracking hashed passwords to decrypt them. Continuing to use it after that point would be like using a broken chain to lock up a bike.

Emuparadise doesn't appear to have mentioned the breach on its site proper. There is a thread on the forums discussing HIBP's disclosure, though, and several users claimed they were never told about the breach. Others said that it was disclosed when it happened--but not to the public. Some of the forum's leadership team, including an administrator going by "Cookie Monster," said that forum staff members were informed of the breach.

"We didn't announce it publicly but we forced everyone to change their password," Cookie Monster wrote. "And we enforce that measure twice every year. This is old news." While that appears to be the case for the Emuparadise forum leadership, most people consider a data breach to be disclosed when it's revealed to the public, not when a team of pseudonymous forum leaders quietly discuss that more than 1 million accounts were compromised.

Not that a forum breach would be the biggest problem Emuparadise has had to overcome in recent memory. The site announced in August 2018 that it would no longer host console emulators or game ROMs--which were essentially it's reason for being--to avoid increasing scrutiny from game publishers. (Especially Nintendo, which scored a legal victory over another ROM distributor just a few months after Emuparadise made its decision.)

Other details about the Emuparadise breach remain unknown. Was the information taken by someone with access to it or by someone who forced their way into the forum infrastructure? Each answer would most likely warrant a different response. Passwords are said to be reset twice a year, but are they still hashed with the MD5 algorithm, despite it being obsolete? The public doesn't know; Emuparadise forum users have to hope Cookie Monster does.