Breach notification site Have I Been Pwned on Tuesday notified thousands of users that happen to have a forum account with Polish game development studio CD Projekt Red that their credentials have been compromised.

CD Projekt Red, as you may know, is the studio behind the popular Witcher franchise.

According to Have I Been Pwned (which is maintained by security researcher Troy Hunt), CD Projekt Red’s forums were hacked in March 2016, exposing 1.9 million accounts. Of those, Hunt notes that 67 percent were already in the Have I Been Pwned database.

What seems to be rubbing people the wrong way is the fact that it took roughly nine months for CD Projekt Red to alert its forum users that its “now-obsolete” database had been compromised.

Worse yet, instead of e-mailing all members and encouraging them to change their passwords ASAP out of an abundance of caution, the studio instead elected to post a message about it in the forums – a move that essentially covers their ass but also gives them the opportunity to downplay the event by tucking word of it away where many may never see it.

According to IT Pro, this is one of the most significant data breaches to affect a gaming community.

In a follow-up message on its forums, the studio confirmed that at the time of the breach, the database affected was not in active use. Compromised data includes usernames, e-mail addresses and salted MD5 passwords.

CD Projekt Red said the forum engine has also been upgraded which patches the exploit that allowed said access.