Users of CD Projekt's official forums are encouraged to change their passwords after the studio took months to disclose a data breach.
Unbeknownst to most users, the official forums of Polish game studio CD Projekt Red, developer of The Witcher, were hacked in March 2016, exposing the data of nearly 1.9 million users.
The affected data includes email addresses, passwords, and usernames, according to Have I Been Pwned, a security site run by Troy Hunt, Microsoft regional director and an online security expert.
“In March 2016, Polish game developer CD Projekt RED suffered a data breach,” the site said. “The hack of their forum led to the exposure of almost 1.9 million accounts along with usernames, email addresses, and salted SHA1 passwords.”
The breach wasn’t completely unknown, as CD Projekt published a short forum post about it in December (nine months after it took place) and said emails would be sent to affected users . Another post, from January, indicates that not all forum users received an email. The post said that the data was from an older forum database and that any passwords obtained were encrypted, although the developer recommended users change their passwords anyway just in case.
“Since the event, we’ve conducted additional external security tests, and we will double our efforts to ensure such situations don’t occur in the future,” the post said, promising that the particular vulnerability that allowed the breach to occur had already been addressed.
Forum hacks aren’t unique, and players are used to receiving the “whoops, time to change your password” email at this point. But Engadget points out that it’s not the fact that the hack occurred that’s worrying, but the fact that it took so long for CD Projekt Red to notify users about it. Even when the developer did so, it was in a way that seems designed to ensure it will reach the fewest number of players possible, which is supported by the fact that the breach is just now making news.