Full Report
In July 2016, the now defunct free online games list website OnRPG suffered a data breach that was later redistributed as part of a larger corpus of data. The incident exposed just over 1M email and IP addresses alongside usernames and passwords stored as salted MD5 hashes.
Analysis Summary
# Incident Report: OnRPG Data Breach (2016)
## Executive Summary
In July 2016, the defunct online games list website OnRPG suffered a data breach exposing over 1 million user records, including email addresses, IP addresses, usernames, and passwords hashed with salted MD5. The incident was publicized later when the compromised data was redistributed as part of a larger breach corpus. The primary response required users to immediately reset their passwords and enable Two-Factor Authentication where supported.
## Incident Details
- Discovery Date: Not explicitly stated (reported later as part of a larger corpus distribution)
- Incident Date: July 2016
- Affected Organization: OnRPG (Defunct)
- Sector: Online Gaming / Web Directory
- Geography: Not disclosed
## Timeline of Events
### Initial Access
- Date/Time: July 2016
- Vector: Unknown exploitation method against the OnRPG infrastructure.
- Details: Attackers gained access to the user database.
### Lateral Movement
- Not detailed in the provided context. Assumed internal network movement was limited to database servers holding user information.
### Data Exfiltration/Impact
- Compromised Data: Over 1 million records including email addresses, IP addresses, usernames, and passwords (stored as salted MD5 hashes).
### Detection & Response
- Detection: The breach was confirmed and added to HIBP on May 8, 2025 (indicating public disclosure/re-release date, not the initial time of compromise).
- Response actions taken: General recommendation for users to change passwords and enable 2FA.
## Attack Methodology
- Initial Access: Unknown exploitation.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Direct access to the user database.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Exfiltration of user credential and identity data.
- Exfiltration: Data moved offsite following access.
- Impact: Disclosure of user account details potentially leading to credential stuffing attacks against other services.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Over 1 million user records containing email addresses, IP addresses, usernames, and salted MD5 hashes of passwords.
- Operational: Not specified, but the organization is noted as defunct.
- Reputational: Damage to users who reused credentials across other platforms.
## Indicators of Compromise
- **Network indicators**: None provided (URLs/IPs were defanged regardless, but none were explicitly listed).
- **File indicators**: None provided.
- **Behavioral indicators**: Attack targeting a database containing user credentials.
## Response Actions
- **Containment measures**: Not detailed for the initial event, as the organization is defunct.
- **Eradication steps**: Not detailed.
- **Recovery actions**: Users advised to change passwords immediately and enable 2FA on related accounts.
## Lessons Learned
- Hashing passwords using only salted MD5 is inadequate security practice, leaving credentials vulnerable to offline cracking despite the salt.
- Data retention policies should be reviewed, especially for defunct services.
## Recommendations
- Users who have not changed their OnRPG password since July 2016 must change passwords on all services where they reused those credentials.
- All users should enable Two-Factor Authentication (2FA) on critical accounts.
- Organizations must utilize stronger, modern hashing algorithms (e.g., Argon2, bcrypt, scrypt) instead of MD5 for password storage.