CD Projekt confirms forum hack exposed 1.9 million user accounts

Witcher studio CD Projekt Red has confirmed a "Have I Been Pwned?" report, via IT Pro, that its forums suffered a security breach last year that led to the "exposure" of nearly 1.9 million accounts, including user names, email addresses, and salted SHA1 passwords. The breach actually occurred in March of last year,  but as it pointed out, "sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly." 

CD Projekt made news of the breach public in December, stating that its forum at "might have been accessed and copied from our server by an unauthorized party sometime in March 2016." It said at the time that there was no "concrete information" that an intrusion had taken place, but noted that any passwords that may have been downloaded would have been encrypted. It also said that the database in question was obsolete, from the days "before we migrated to the login system powered by our sister company," 

Further examination of the data since then has led to the conclusion that someone did in fact manage to access the database. "It is our understanding that the obsolete forum database contained usernames, email addresses and salted MD5 passwords (MD5 is an encryption algorithm we used to encrypt your data). This means your old passwords were secured and not directly accessible by anyone," the studio wrote in a follow-up posted today. "However, it is still a best practice to ask users to change their passwords. Since the event, we’ve conducted additional external security tests and we will double our efforts to ensure such situations don’t occur in the future." 

CD Projekt apologized for the breach, and said it would send out its own emails to affected users over the following days. 

Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.