Nexus Mods, a website many here are no doubt familiar with, have reported today that it has suffered a major data breach in November of this year, which has allowed a "potentially malicious third-party actor" to access personal data for a "small number" of users.
The data that has been breached includes email addresses, as well as password salts and hashes. A salted and hashed password means that the hackers won't have immediate access to any passwords, as they are encrypted, but it is possible this encryption could be cracked with enough time and effort.
In a statement, Nexus Mods said;
Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place, We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.
As such, it is recommended that you change your passwords, especially if you used the same password elsewhere as you did with Nexus Mods. The company also stated that, while they aren't aware of any other security breaches, it is possible the same exploit was used previously without being noticed.
All Nexus users are being forced to change their passwords and migrate their accounts to their 'new user service' as a result.
The company has also confirmed that they have reported the breach to the Information Comissioner's Office, as required under GDPR, stating they are now "in the process of fulfilling our obligations related to the matter."