HomeIntelligenceBrief
BREACH BRIEF🟡 Medium Breach

Data Breach Exposes 126,000 Dragonica Lunaris Gaming Accounts

In December 2025 the European Dragonica private server Lunaris was breached, leaking 126 k user records—including emails, usernames, dates of birth and bcrypt password hashes. The incident underscores credential‑reuse risks for enterprises that allow staff to use third‑party gaming services.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 haveibeenpwned.com
🟡
Severity
Medium
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
haveibeenpwned.com

Data Breach Exposes 126,000 Dragonica Lunaris Gaming Accounts

What Happened – In December 2025 the privately‑run European Dragonica server “Lunaris” suffered a breach that leaked 126 k user records, including email addresses, usernames, dates of birth, names, spoken languages and bcrypt‑hashed passwords. The operator confirmed the incident and has since patched the vulnerability.

Why It Matters for TPRM

  • Personal data from a third‑party gaming platform can be leveraged for credential‑stuffing attacks against corporate accounts.
  • Exposure of bcrypt hashes indicates attackers may attempt offline cracking, increasing risk of password reuse across business services.
  • The breach highlights the need to assess security hygiene of non‑core SaaS and entertainment providers used by employees.

Who Is Affected – Gaming industry; consumer‑facing entertainment SaaS; any organization whose staff use Dragonica Lunaris credentials for personal or work‑related purposes.

Recommended Actions

  • Verify whether any corporate identities reuse passwords from Dragonica; enforce password changes where overlap exists.
  • Ensure multi‑factor authentication (MFA) is enabled on all corporate accounts, especially those tied to email addresses exposed in the breach.
  • Review third‑party risk assessments for entertainment‑focused SaaS providers and update controls accordingly.

Technical Notes – The breach disclosed email, username, DOB, name, spoken language and bcrypt password hashes. No specific vulnerability or attack vector was disclosed by the operator. Source: Have I Been Pwned – Dragonica Lunaris breach

📰 Original Source
https://haveibeenpwned.com/Breach/Dragonica

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →