Hack Compromises 1.9 Million CD Projekt RED Forum Accounts

The old forum of Polish game developer CD Projekt RED – maker of The Witcher series – was hacked, potentially compromising 1.9 million user accounts, Have I Been Pwned has revealed. While the hack took place back in March 2016, CD Projekt RED did not publicly address it until December 2016, in an obscure forum post. The extent of the hack only became clear following Have I Been Pwned’s tweeted exposé:

New breach: The CD Projekt RED forum had 1.9m accounts exposed in 2016. 67% were already in @haveibeenpwned https://t.co/LGaAniJH32

— Have I Been Pwned (@haveibeenpwned) January 31, 2017

Following that tweet, CD Projekt RED addressed the matter again on its forum:

“Upon examining the data at our disposal, we can conclude that an unauthorized party gained access to the old forum database.

At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier. The forum engine has also been upgraded since then to the newest and most secure version, fixing the exploit that allowed said access.

It is our understanding that the obsolete forum database contained usernames, email addresses and salted MD5 passwords (MD5 is an encryption algorithm we used to encrypt your data). This means your old passwords were secured and not directly accessible by anyone.

However, it is still a best practice to ask users to change their passwords. Since the event, we’ve conducted additional external security tests and we will double our efforts to ensure such situations don’t occur in the future.

In the following days, we will send out emails to affected users notifying them about the situation.

We would like to deeply apologize everyone affected.”

While data was encrypted, if you think you were affected by this breach it is advisable for you to change your password.