Cyber Incident Victim: Facepunch Studios

In June 2016, Facepunch Studios, a UK-based game developer known for titles like Rust and Garry’s Mod, suffered a data breach compromising 396,650 user accounts. Attackers exploited a vulnerability in the vBulletin software used by the studio, injecting credential-stealing code that targeted browser autofill functionality on administrative control pages (/modcp and /admincp). This technique allowed unauthorized access to sensitive user information stored in Facepunch’s systems. The stolen data included usernames, email addresses, IP addresses, dates of birth, and password hashes protected with salted MD5 encryption. While the breach occurred in June 2016, its public disclosure occurred later through third-party channels. Facepunch confirmed awareness of the incident and stated they had notified affected individuals shortly after discovering the breach, though the exact timeline of their internal detection and response was not detailed in available reports.

The compromised dataset surfaced publicly when whitehat security researcher Adam Davies provided it to Troy Hunt’s Have I Been Pwned (HIBP) service, which verified its authenticity and added it to their breach notification database in 2018. HIBP alerted impacted users via email, specifying the types of exposed data and confirming the passwords were hashed with a salt – a security measure that theoretically increases cracking difficulty but remains vulnerable to determined attacks given MD5’s cryptographic weaknesses. Facepunch did not disclose whether they forced password resets or enhanced authentication mechanisms post-breach. The studio’s public acknowledgment confirmed the breach’s root cause as credential theft via the vBulletin exploit but did not elaborate on specific remediation steps taken to secure their systems beyond notifying users. No secondary consequences, such as account takeovers or fraud incidents linked to the breach, were explicitly documented in the source material.