Earlier today, CD Projekt Red – the company behind games like The Witcher 3 and Cyberpunk 2077 – announced it had fallen victim to a malware attack and that the hackers were demanding a ransom to keep them from leaking a lot of internal information about its business. The information the hackers claim to have includes the source code for Cyberpunk 2077, The Witcher 3, Gwent, and what is presumably the next-generation version of The Witcher 3.
The damage doesn’t stop there, though, as the hackers also claimed to have documents relating to CD Projekt’s “accounting, administration, legal, HR, investor relations” and more. With its statement today, CD Projekt said that it doesn’t have any evidence that the hackers made off with personal information belonging to users, but that’s a big worry considering that CD Projekt also runs GOG – one of the biggest names in PC digital distribution.
This hack caps off a rough couple of months for the company, which released the long-awaited Cyberpunk 2077 to much controversy at the beginning of December. By now, it’s hardly a secret that Cyberpunk 2077 launched in a very spotty state, prompting apologies from the executives at CD Projekt and an update roadmap filled with patches and improvements that’s scheduled to play out over the course of the year.
Even with CD Projekt indicating that it’ll be able to restore a lot of the stolen information from backups, this hack could potentially delay this effort to fix Cyberpunk 2077. Even if it doesn’t, individual developers who have likely had a rough year in 2020 between Cyberpunk‘s multiple delays, what’s been reported as long periods of crunch, and pushback from gamers who were angry about the state of Cyberpunk 2077 at release now get to worry about if internal information pertaining to their jobs is going to be made public, and that can’t be good for morale.
After all, CD Projekt has announced that it won’t be giving into the hackers’ ransom demands, so if these hackers are true to their word, they’re going to publish everything they made off with in the coming days. In an update posted just a few minutes ago, CD Projekt Red directed a tweet to ex-employees in which it said, “As of this moment, we don’t possess evidence that any of your personal data was accessed. However, we still recommend caution (i.e. enabling fraud alerts),” before directing them to contact CD Projekt’s privacy team with their questions.
Even with reassurance that these hackers probably didn’t get away personal employee info, this probably only compounds the stress CD Projekt Red employees have been going through in recent months.
Interestingly enough, CD Projekt Red had something very similar happen to them three and a half years ago. On June 8th, 2017, the CD Projekt Red published a statement to its Twitter account saying that someone had made off with some of the company’s internal files, demanding ransom and threatening to make the files public if that ransom wasn’t paid.
Obviously, we don’t know how these bad actors accessed these files in either scenario, and I’m not about to suggest that CD Projekt doesn’t know what it’s doing when it comes to cybersecurity. Ultimately, nothing out there is entirely hackproof and humans will still sometimes make dumb decisions that compromise even the tightest security. It does beg the question of whether or not CD Projekt got lax with security in between these events, and at the very least, it’s a good reminder that we should manage our personal data with care.
In fact, even though CD Projekt says there’s no evidence that user data was leaked, now would be a excellent time to reset any CD Projekt-related passwords you may have, and that’s doubly true if you own a GOG account. While there may not be any reason to believe that your data has been compromised, it costs you nothing but a few minutes to update passwords and make sure that you’re the only one who has access to your accounts.