Nexus Mods user database may have been breached

Nexus Screengrab

Update: Nexus has now been given the all-clear—the current scare was a result of an old breach, but you should still change your password if your account is older than July 2013.

Original: Change your password if you have an account at Nexus Mods—the situation isn't clear, but there are indications that internet miscreants might have got at the user database.

Overall it sounds like Nexus founder Robin 'Dark0ne' Scott has had a bad weekend. Announcing the incident on the Nexus website, he states that he heard about the potential breach second-hand from a post on Reddit. User AreYouReadyToReddit received a report from higher education cybersecurity firm REN-ISAC that a number of student Nexus Mods accounts had been compromised. The original text is here, but it's not exactly laden with detail. Scott has yet to hear back from REN-ISAC because they don't work weekends. Hurrah.

Though Nexus hasn't been able to confirm a breach, three modders reported that their projects had been changed to include a new .dll file, ostensibly by their own accounts (see update). Far from damning evidence, however, at present it's impossible to say whether this is the result of a new breach, a previous incident like 2014's trojan attack or users recycling passwords from other compromised networks.

The good news is that all Nexus payments are handled through PayPal, so there's no risk to card details.

I'll update this post if new information comes to light, but in the meantime you can change your password here.

Update: Courtesy of Dark0ne, the mods that founds themselves with suspicious dll files were:

  • Higher Settlement Budget (downloads from 5th December)
  • Rename Dogmeat (downloads from 4th December)
  • BetterBuild (downloads from 29th November)