CD Projekt confirms stolen source code is being circulated online

Cyberpunk 2077
(Image credit: CD Projekt)

CD Projekt Red was hacked in February, resulting in the theft of internal documents and source code for games including Gwent, The Witcher 3: Wild Hunt, and Cyberpunk 2077. The hackers threatened to release the data unless a ransom was paid, which the studio refused to do; shortly thereafter the hackers reportedly began releasing the code, which CD Projekt attempted to keep a lid on by way of DMCA takedown notices.

Despite those efforts, it was reported by databreaches.net (via Eurogamer) earlier this month that the stolen data—ranging from source code to internal "comedy bug reels"—are in the wild, and that passwords to the encrypted files had either been cracked or were being shared voluntarily. Either way, it seemed that anyone who wanted access could get it.

Today, CD Projekt issued a statement confirming that the data is in fact now being circulated online. "We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games," it said. "Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach."

CD Projekt is now working with law enforcement agencies including the General Police Headquarters of Poland, Interpol, and Europol, as well as other "appropriate services [and] experts" to resolve the matter. It's also implemented a number of new internal security measures to help prevent breaches like this in the future:

  • Our core IT infrastructure has been redesigned and rolled out
  • New next-generation firewalls with advanced anti-malware protection have     been implemented
  • A new remote-access solution has been employed
  • The number of privileged accounts, and access rights to accounts, has     been limited
  • A new mechanism for the protection of endpoints, servers, and networks has been installed
  • Our event-monitoring mechanisms have been improved
  • We have expanded our internal security department   

"We would also like to state that—regardless of the authenticity of the data being circulated—we will do everything in our power to protect the privacy of our employees, as well as all other involved parties," CD Projekt said. "We are committed and prepared to take action against parties sharing the data in question."

It's progress, but it's also surprising (and, honestly, disappointing) that four months after the attack, CD Projekt still can't say exactly what data was stolen, or who might be impacted by it. The timing of today's announcement, which appeared without notice in the midst of Geoff Keighley's Summer Game Fest Kickoff livestream, also raised a few eyebrowsm

I've reached out to CD Projekt for more information on what data was taken during the breach, and will update if I receive a reply.

TOPICS
Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.