Nexus Mods reports security breach, 'small number' of user records accessed

A load of tiles showing games Nexus Mods has mods for.
(Image credit: Nexus Mods)

The popular mod repository Nexus Mods revealed today that it suffered a data breach in November, during which a "potentially malicious third-party actor" was able to access a small number of user records, including email addresses and password salts and hashes.

"Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place," Nexus Mods wrote.

"We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date."

Nexus Mods said that it has no evidence of breaches prior to this one, but acknowledged that it can't say for certain that the exploit hasn't been used previously, "and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed."

As a result of the breach, Nexus Mods is asking all users to log out and then back in, in order to migrate their accounts to the new user service, and to change the password elsewhere if it was shared with other sites. It would also be wise to enable two-factor authentication wherever possible.

Nexus Mods didn't say why it took more than a month to publicly report the breach, but said that it reported it to the UK's Information Commissioner's Office as required by law, and is now "in the process of fulfilling our obligations related to the matter."

Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.