CD Projekt Red forum hack exposed 1.9 million accounts, only now word is 'getting out'

Shawn Knight

TechSpot Staff
Staff member

Breach notification site Have I Been Pwned on Tuesday notified thousands of users that happen to have a forum account with Polish game development studio CD Projekt Red that their credentials have been compromised.

CD Projekt Red, as you may know, is the studio behind the popular Witcher franchise.

According to Have I Been Pwned (which is maintained by security researcher Troy Hunt), CD Projekt Red’s forums were hacked in March 2016, exposing 1.9 million accounts. Of those, Hunt notes that 67 percent were already in the Have I Been Pwned database.

What seems to be rubbing people the wrong way is the fact that it took roughly nine months for CD Projekt Red to alert its forum users that its “now-obsolete” database had been compromised.

Worse yet, instead of e-mailing all members and encouraging them to change their passwords ASAP out of an abundance of caution, the studio instead elected to post a message about it in the forums – a move that essentially covers their ass but also gives them the opportunity to downplay the event by tucking word of it away where many may never see it.

According to IT Pro, this is one of the most significant data breaches to affect a gaming community.

In a follow-up message on its forums, the studio confirmed that at the time of the breach, the database affected was not in active use. Compromised data includes usernames, e-mail addresses and salted MD5 passwords.

CD Projekt Red said the forum engine has also been upgraded which patches the exploit that allowed said access.

Permalink to story.

 
Last edited by a moderator:

ViPeRMiMiS

TS Booster
Why would they use MD5 ? I mean is there a difference if they use much better algorithms such as PBDFK2? Is there a reason those websites don't use better hash algorithms? Maybe because at the time it was already decided to use the MD5 and after a while it would be hard to change the algorithm? They COULD force one day users to retype the passwords for security reasons and "convert" the old MD5 hashed passwords with new PBDFK2, first they would check if the MD5 hash of the old password they put matches the database one and if this is true then hash with the new PBDFK2 and overwrite! (Am I wrong here?)