Facepunch Studios

Facepunch Studios, headquartered in the United Kingdom, operates as a game development company. The organization is known within the interactive entertainment sector for creating and maintaining online multiplayer games that cultivate dedicated player communities. Its operational footprint is indicated by a significant user base, as evidenced by a major security incident affecting hundreds of thousands of registered individuals. The studio's activities involve managing persistent online services and user accounts, which necessitates handling substantial volumes of personal data. This context positions Facepunch as a mid-sized developer with a notable digital presence, though specific market share or revenue figures are not provided. The company's work inherently involves navigating the technical and security complexities associated with live-service game environments.

In June 2016, Facepunch Studios suffered a serious data breach that compromised the sensitive information of approximately 396,650 users. The incident occurred through unauthorized access via an injected credential-stealing script that exploited a known vulnerability in the vBulletin forum software, specifically targeting administrative pages with browser autofill features. Exposed data elements included usernames, email addresses, IP addresses, dates of birth, and salted MD5 password hashes. Following discovery, the studio formally acknowledged the security event and undertook efforts to notify the affected individuals. The breach dataset was subsequently obtained by a whitehat security researcher who provided it to a public notification service, facilitating broader awareness. This event highlights a critical period in the organization's security posture, demonstrating both the threat landscape facing gaming platforms and the procedural steps taken in response to such a compromise. The technical specifics of the attack vector and the nature of the exposed data provide concrete insight into the types of risks encountered. The involvement of an independent researcher in the disclosure process also reflects aspects of the wider security community's interaction with the incident.