The popular mod repository Nexus Mods revealed today that it suffered a data breach in November, during which a "potentially malicious third-party actor" was able to access a small number of user records, including email addresses and password salts and hashes.
"Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place," Nexus Mods wrote.
"We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date."
Nexus Mods said that it has no evidence of breaches prior to this one, but acknowledged that it can't say for certain that the exploit hasn't been used previously, "and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed."
As a result of the breach, Nexus Mods is asking all users to log out and then back in, in order to migrate their accounts to the new user service, and to change the password elsewhere if it was shared with other sites. It would also be wise to enable two-factor authentication wherever possible.
Nexus Mods didn't say why it took more than a month to publicly report the breach, but said that it reported it to the UK's Information Commissioner's Office as required by law, and is now "in the process of fulfilling our obligations related to the matter."