NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident.
The government simulation game, developed by author Max Barry and loosely based on his novel Jennifer Government, disclosed that an unauthorized user gained access to its production server and copied user data.
Vulnerability reporter crossed a line
On January 27, 2026, around 10pm (UTC), NationStates received a report from a player who discovered a critical vulnerability in its application code.
While testing the bug, however, the player exceeded authorized boundaries and gained remote code execution (RCE) on the main production server, allowing him to copy application code and user data to his own system.
"This player has a history of contributing about a dozen bug & vulnerability reports to NationStates since 2021, particularly over the last six months. He is not a member of staff and was never granted permission for server entry or any privileged access," wrote Barry in a data breach notice updated January 30th.
"His nation has been previously credited with a Bug Hunter badge, which is an initiative that rewards players for reporting bugs & site vulnerabilites for us to fix."
Although the individual later apologized and claimed the data was deleted, the site has no way to verify this and is therefore treating both the system and the data as compromised.
The breach stemmed from a flaw in a relatively new feature called "Dispatch Search," introduced on September 2, 2025. NationStates said the attacker chained together insufficient sanitization of user-supplied input with a double-parsing bug, resulting in an RCE.
"This is a critical bug, and the first time something like this has been reported in the site's history. We're grateful for the report. Unfortunately, the reporter didn't merely confirm the bug's existence, but also then went ahead and breached the server."
... continue reading