Witcher studio CD Projekt Red has confirmed a "Have I Been Pwned?" report, via IT Pro, that its forums suffered a security breach last year that led to the "exposure" of nearly 1.9 million accounts, including user names, email addresses, and salted SHA1 passwords. The breach actually occurred in March of last year, but as it pointed out, "sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly."
CD Projekt made news of the breach public in December, stating that its forum at cdprojektred.com "might have been accessed and copied from our server by an unauthorized party sometime in March 2016." It said at the time that there was no "concrete information" that an intrusion had taken place, but noted that any passwords that may have been downloaded would have been encrypted. It also said that the database in question was obsolete, from the days "before we migrated to the login system powered by our sister company, GOG.com."
Further examination of the data since then has led to the conclusion that someone did in fact manage to access the database. "It is our understanding that the obsolete forum database contained usernames, email addresses and salted MD5 passwords (MD5 is an encryption algorithm we used to encrypt your data). This means your old passwords were secured and not directly accessible by anyone," the studio wrote in a follow-up posted today. "However, it is still a best practice to ask users to change their passwords. Since the event, we’ve conducted additional external security tests and we will double our efforts to ensure such situations don’t occur in the future."
CD Projekt apologized for the breach, and said it would send out its own emails to affected users over the following days.