Data Breach Exposes 126,000 Dragonica Lunaris Gaming Accounts
What Happened – In December 2025 the privately‑run European Dragonica server “Lunaris” suffered a breach that leaked 126 k user records, including email addresses, usernames, dates of birth, names, spoken languages and bcrypt‑hashed passwords. The operator confirmed the incident and has since patched the vulnerability.
Why It Matters for TPRM –
- Personal data from a third‑party gaming platform can be leveraged for credential‑stuffing attacks against corporate accounts.
- Exposure of bcrypt hashes indicates attackers may attempt offline cracking, increasing risk of password reuse across business services.
- The breach highlights the need to assess security hygiene of non‑core SaaS and entertainment providers used by employees.
Who Is Affected – Gaming industry; consumer‑facing entertainment SaaS; any organization whose staff use Dragonica Lunaris credentials for personal or work‑related purposes.
Recommended Actions –
- Verify whether any corporate identities reuse passwords from Dragonica; enforce password changes where overlap exists.
- Ensure multi‑factor authentication (MFA) is enabled on all corporate accounts, especially those tied to email addresses exposed in the breach.
- Review third‑party risk assessments for entertainment‑focused SaaS providers and update controls accordingly.
Technical Notes – The breach disclosed email, username, DOB, name, spoken language and bcrypt password hashes. No specific vulnerability or attack vector was disclosed by the operator. Source: Have I Been Pwned – Dragonica Lunaris breach