New details have emerged about the March 2016 hack of the CD Projekt Red (CDPR) game studio's old forums.
The hack was revealed in December 2016--nine months after the suspected data breach--in a forum post. "It has come to our attention that the now-obsolete cdprojektred.com forum database might have been accessed and copied from our server by an unauthorized party sometime in March 2016," CDPR said. "It’s the old database we used to run the forum before we migrated to the login system powered by our sister company--GOG.com."
CDPR assured users that any compromised passwords would have been encrypted but said they should change their passwords just in case. Now, the breach disclosure site "have I been pwned?" has sent out emails confirming that usernames, email addresses, and salted passwords were compromised in the forum hack. The passwords should be safe, because they were secured by the SHA-1 protocol, but dedicated attackers could still figure them out.
"Have I been pwned?" said nearly 1.9 million accounts were compromised in the breach. Members of CDPR's new forums aren't pleased with how the company handled the forum hack--several have asked why the studio's initial suspicions were published on the forum instead of disclosed in an email, or why the company didn't share more info about how it secured user passwords. CDPR replied with more information about the breach:
Upon examining the data at our disposal, we can conclude that an unauthorized party gained access to the old forum database. At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier. The forum engine has also been upgraded since then to the newest and most secure version, fixing the exploit that allowed said access. It is our understanding that the obsolete forum database contained usernames, email addresses and salted MD5 passwords (MD5 is an encryption algorithm we used to encrypt your data). This means your old passwords were secured and not directly accessible by anyone.
The studio also said that it's "conducted additional external security tests and we will double our efforts to ensure such situations don’t occur in the future" and that it "will send out emails to affected users notifying them about the situation" in "the following days." Meanwhile, you can check to see if your personal information was revealed in the forum hack via the "have I been pwned?" website.
