Nexus Mods, the popular mod repository, has reported that the website went through a data security breach in November. It is believed that the data breach was carried out by a "potentially malicious third party actor" that was able to access a small number of user records.
After discovering the breach, Nexus Mods sent out a notification to its users describing the entire scenario. "In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third-party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service," Nexus Mods stated in the notification.
"Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes, and password salts has taken place," the notification continues. "We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date. "
As a result of this data security breach, Nexus Mods has requested all its users to log out and log back in to start using the new user service and change their passwords elsewhere if it is the same for other accounts. You should also consider enabling two-factor authentication wherever possible to save yourself from situations like these.
However, Nexus Mods hasn't said why it took almost a month to report the news to its users. The site claimed that the case was reported to the Information Commissioner's Office in the UK.