According to a statement, CD Projekt RED, the Poland-based developer of Cyberpunk 2077, The Witcher, and proprietor of the GOG.com online store, has suffered a data breach conducted by unknown parties demanding a ransom. The statement was posted on February 9, 2021 via the official CDPR Twitter account:
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
The statement from CD Projekt RED notes that on February 8th, 2021, the company discovered that it became the victim of a “targeted cyber attack” that compromised some of its internal systems. The perpetrator, who has yet to be identified, collected some of the companies data and left a ransom note. Some company devices – perhaps workstations or servers – were successfully encrypted by the attacker, but CDPR’s backups remain intact. Since then, IT infrastructure has been secured, and the process of data restoration begun. To the best of its knowledge, the data of players or users of CD Projekt RED’s services was not breached. CD Projekt RED stated that it would not accede to the attacker’s demands or negotiate.. It is in contact with Polish authorities and IT forensic specialists, and will be cooperating with them to investigate the incident.
A screenshot of the attacker’s ransom note, a plain text file, was also posted. In it, the attacker claimed to have breached one of CDPR’s servers acquired (“dumped”) full copies of the source code for Cyberpunk 2077, The Witcher 3: Wild Hunt, Gwent, and an “unreleased version of Witcher 3“. They also claimed to have documents relating to accounting, admin, legal, and other matters related to the company’s internal operations. The attacker demanded that CD Projekt RED contact them within 48 hours to settle the ransom, or risk having their source code “sold or leaked online” and their documents “sent to our contacts in gaming journalism.”
Data breaches and ransom attacks are growing more common as more companies go online. Game publishers and developers are popular targets both for would-be ransom attempts, or simply to acquire sensitive data, such as game prototypes or personal information from. For example, Nintendo suffered two major breaches in 2020 alone: One affected the accounts of hundreds of thousands of Nintendo ID users, and the other led to the publication of a large trove of development information for systems like the Nintendo 64 and Wii.
At the moment CD Projekt RED’s various services seem unaffected, including GOG.com. Though the company has stated that no user data was exposed by the breach, it may be a good idea to refresh your user credentials if you maintain accounts on a service or game run by CDPR.