CD Projekt confirms stolen source code is being circulated online

CD Projekt confirms stolen source code is being circulated online

The studio dropped an update on the February data breach today, while we were all busy watching the Summer Game Fest Kickoff livestream.


CD Projekt confirms stolen source code is being circulated online - image1
(Image credit: CD Projekt)

CD Projekt Red wᴀs hacked ɪɴ February, ʀᴇsᴜʟᴛɪɴg ɪɴ tʜᴇ tʜᴇft ᴏꜰ ɪɴternal ᴅᴏcuᴍᴇnts ᴀɴd sᴏᴜʀce code ꜰᴏʀ ɢᴀᴍᴇs ɪɴcludɪɴg Gᴡᴇnt, Tʜᴇ Wɪᴛcʜᴇr 3: Wild Hunt, ᴀɴd Cyʙᴇrpunk 2077. Tʜᴇ hackers threᴀᴛened ᴛᴏ releᴀse tʜᴇ dᴀᴛa unʟᴇss a rᴀɴsᴏm wᴀs paid, ᴡʜɪᴄʜ tʜᴇ studio refᴜsed ᴛᴏ ᴅᴏ; shᴏʀtly tʜᴇreᴀꜰᴛᴇʀ tʜᴇ hackers repᴏʀtedly ʙᴇgᴀɴ releᴀsɪɴg tʜᴇ code, ᴡʜɪᴄʜ CD Projekt ᴀᴛtempted ᴛᴏ ᴋᴇᴇᴘ a lid ᴏɴ ʙʏ ᴡᴀʏ ᴏꜰ DMCA ᴛᴀᴋᴇᴅᴏwn ɴᴏtɪᴄᴇs.

Despite those efforts, it was reported by databreaches.net (via Eurogamer) earlier this month that the stolen data—ranging from source code to internal "comedy bug reels"—are in the wild, and that passwords to the encrypted files had either been cracked or were being shared voluntarily. Either way, it seemed that anyone who wanted access could get it.

Today, CD Projekt issued a statement confirming that the data is in fact now being circulated online. "We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games," it said. "Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach."

IMPORTANT UPDATERead more: https://t.co/qd6sc5VF3I pic.twitter.com/kKi1GkIaLOJune 10, 2021

See more

CD Projekt is now working with law enforcement agencies including the General Police Headquarters of Poland, Interpol, and Europol, as well as other "appropriate services [and] experts" to resolve the matter. It's also implemented a number of new internal security measures to help prevent breaches like this in the future:

Our core IT infrastructure has been redesigned and rolled out New next-generation firewalls with advanced anti-malware protection have     been implemented A new remote-access solution has been employed The number of privileged accounts, and access rights to accounts, has     been limited A new mechanism for the protection of endpoints, servers, and networks has been installed Our event-monitoring mechanisms have been improved We have expanded our internal security department   

"We would also like to state that—regardless of the authenticity of the data being circulated—we will do everything in our power to protect the privacy of our employees, as well as all other involved parties," CD Projekt said. "We are committed and prepared to take action against parties sharing the data in question."

It's progress, but it's also surprising (and, honestly, disappointing) that four months after the attack, CD Projekt still can't say exactly what data was stolen, or who might be impacted by it. The timing of today's announcement, which appeared without notice in the midst of Geoff Keighley's Summer Game Fest Kickoff livestream, also raised a few eyebrowsm

Dropping this now during a week-long kickoff of gaming press events?Doesn’t exactly inspire confidence.June 10, 2021

See more

posting this during Keighley's thing is laughable. good christ.June 10, 2021

See more

Wow, the amount of goodwill you already burned, and now you release this in the middle of Summer Gamefest - just wow.June 10, 2021

See more

I've reached out to CD Projekt for more information on what data was taken during the breach, and will update if I receive a reply.

Author's other posts