NexusMods

We've observed a consistent pattern: older breaches, often dismissed as "historical," resurface to fuel new attacks. What really struck us wasn't the age of this particular breach, but how readily its contents could still be weaponized. The NexusMods data, dating back to 2013, had been circulating quietly, but we noticed a spike in mentions across several dark web forums known for credential stuffing and account takeover schemes. This isn't just about old passwords; it's about the enduring value of legacy data for modern threat actors.

The NexusMods Leak: Almost 5 Million Accounts Exposed

The NexusMods breach, initially disclosed in December 2015, exposed nearly 5 million user accounts from the popular game modding platform. While the breach itself is not new, its continued relevance in the threat landscape caught our attention. The data had been traded months in advance, with the breach itself happening on July 21st, 2013. We discovered renewed chatter on several dark web marketplaces and Telegram channels, indicating active use of the leaked credentials. The setup here felt different because the focus wasn't on selling the data, but on sharing tools and techniques for leveraging it against gaming accounts and related services.

This breach matters to enterprises now because it highlights the long tail of data breaches. Even years after an incident, compromised credentials can be repurposed for credential stuffing attacks against other platforms, including enterprise systems where users may have reused passwords. The gaming community is a lucrative target, and stolen credentials can be used to access in-game assets, virtual currencies, and even linked financial accounts.

This incident ties into broader threat themes involving stealer logs and the automation of attacks. Threat actors often use automated tools to test leaked credentials against multiple targets, increasing the likelihood of successful account takeovers.

Key point: Total records exposed: 4,979,061

Key point: Types of data included: Email Address, Username, Passwords (salted hashes)

Key point: Sensitive content types: Potentially linked financial accounts (indirectly)

Key point: Source structure: Database

Key point: Leak location(s): Dark web forums, Telegram channels

Key point: Date of initial breach: July 21, 2013

External Context & Supporting Evidence

While specific URLs to forum threads related to this renewed activity are difficult to provide due to the ephemeral nature of dark web forums, discussions around using older gaming credentials for account takeovers are commonplace. Security researcher Troy Hunt's "Have I Been Pwned?" website includes the NexusMods breach in its database, confirming the validity of the leaked data.

The incident also highlights the need for robust password management practices and the importance of monitoring for leaked credentials. As KrebsOnSecurity has repeatedly reported, password reuse is a significant problem, and older breaches can provide attackers with a valuable source of credentials for targeting new victims.

Hash · Type · Email · Address · Username · Passwords