If you’re big on mods or gone deep into Fallout 4 on PC there’s a good chance you’ve come across NexusMods and their automated software, the Nexus Mods Manager. And if you’ve used either it’s now time for a PSA: their databases appear to have been breached, and it’s time to change your passwords.
In a lengthy statement on their website, the Nexus Mods owner said they could not “in good conscience not warn you of the potential” that the site’s security had been breached after information that was brought to light late last week.
According to the post, the REN-ISAC security firm in the United States had contacted several universities and told them that emails and passwords relating to the nexusmods.com deomain were “out on the internet in criminal circles”.
A thread on the r/gaming/ subreddit also went up late on Friday, corroborating the REN-ISAC notification and saying that “a large number of student users had their credentials breached”.
The Nexus Mods owner noted that while the email (which was reposted to Imgur, as linked above) is fairly unambiguous, they added that it was too vague to draw specific conclusions. “We indeed had a database breach several years ago when hackers gained entry to our systems by hacking our file server hosts (a horrible way to be hacked, when it’s not even directly your fault), so this could potentially be a result of that previous leak, or it could be a result of recent database breaches at other major networks (like the Playstation Network, EBay or otherwise) and hackers correlating information from reused passwords, or any number of things.”
“Things became more suspicious yesterday when three Fallout 4 mods from three separate authors had their files changed by the author’s themselves, but the file change contained a .dll file that while it isn’t being reported as a virus by our Virus Total system (that scans files using 56 different virus scanners), it is still highly suspicious, and the authors have reported it wasn’t them who did it,” they added.
The three mods affected were BetterBuild, Rename Dogmeat and Higher Settlement Budget, with the suspect file in the archives titled “dsound.dll”. It’s recommended that all users change their passwords, as the admins are working to precisely uncover the nature of the breach — or whether it may have been a follow-up from the previous hack years ago.
Two-factor authentication has become a higher priority for the site, the post says, and anyone who used their Nexus account password for other websites should change those immediately as well. “I’m sorry for (potentially, at this point) breaking your trust in us. We’ll continue working away at this to get a conclusive answer and, when we do, you’ll be the first to know.”