Softpedia >News >Security >Data Breaches
Softpedia Homepage   

Information of 396K Users Exposed in Facepunch Data Breach

The leak included salted MD5 password hashes and usernames

Oct 17, 2018 17:29 GMT  ·  By
Facepunch data breach
   Facepunch data breach

As reported by Troy Hunt's Have I Been Pwned breach notification service, the Facepunch game studio was the victim of a data breach in June 2016 which led to sensitive information of 396,650 users being exposed.

Facepunch is a game development studio based in Wallsall, UK, known for developing the Rust survival game and the Garry's Mod physics sandbox.

The Have I Been Pwned (HIBP) service was created by Troy hunt as a repository of all the data leaked in security breaches made public, with passwords being removed from the information stored in HIBP's database.

HIBP can also automatically notify you when your e-mail address appears in a database stolen after a data breach.

According to the e-mail sent by Have I Been Pwned to all users who had their data leaked in the Facepunch data breach, "The breached data included usernames, email and IP addresses, dates of birth and salted MD5 password hashes."

Furthermore, the Facepunch studio said they knew about the security breach and that all people involved in it were notified after the June 2016 data theft incident.

The Facepunch game development studio behind Rust and Garry's Mod suffered a data breach in June 2016 exposing 396,650 users

Despite that, according to a thread on the company's forum, some users say that they did not receive any e-mail notification from Facepunch after their information was leaked.

Moreover, they have only been made aware that the data breach happened after receiving the automated alert from the Have I Been Pwned service.

As the other Facepunch user say, the data breach occurred because of "injected credential stealing code using a vBulletin exploit" which took "advantage of browser credential autofill on the /modcp or /admincp page."

"The data was provided to HIBP by whitehat security researcher and data analyst Adam Davies," also says the e-mail notification sent by Have I Been Pwned to the users involved in the Facepunch breach.