In the early afternoon of February 9 2021 CD Projekt revealed that the company became a victim of a targeted cyber attack. The hackers demand compensation and threaten to release or sell the information they obtained to a third party. CD Projekt refuses give in to the demands!
In the early afternoon today CD Projekt Red released a shocking update via the company’s official Twitter account. Yesterday, February 8th 2021, the company’s servers were hacked and a lot of information was stolen.
The hackers claim to have stolen full copies of the source codes from CD Projekt’s Perforce server for Cyberpunk 2077, Witcher 3, Gwent and unreleased version of Witcher 3.
Here is the full text of the hackers’ note. CD Projekt shared it in their tweet alongside their response (which you can read in full below as well):
Hello CD PROJEKT
Your have been EPICALLY pwned!!
We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3!!!
We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more!
Also, we have encrypted all of your servers, but we understand that you can most likely recover from backups.
If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism. Your public image will go down the shitter even more and people will see how you shitty your company functions. Investors will lose trust in your company and the stock will dive even lower!
You have 48 hours to contact us.
There is no mention in the note what kind of a ransom the hackers demand, but since CD Projekt officialy and publicly stated they will not give in, this means that some time tomorrow we can expect to see the resolution to that case.
The company refuses to give in to the hackers’ demands, who left a note to CD Projekt stating that if the company doesn’t get in contact with them in forty-eight hours, they will either freely release the information they stole or will sell it to whoever wants to buy it.
CD Projekt said in their public announcement that to their knowledge and according to an internal investigation they are still doing, there is no personal information stolen that relates to the players and customers of the company.
Here is the full text of CD Projekt’s “important update” as it was published on Twitter earlier today:
Yesterday we discovered that we have become victim of a targeted cyber attack, dye to which some of our internal systems have been compromised.
An unidentified actor gained unauthorized access to our internal network, collected certain data belonging to CD PROJEKT capital group, and left a ransom note the content of which we release to the public. Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data.
We will not give in to the demands nor negotiate with the actor, being aware that this may eventualy lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.
We are still investigating the incident, however at this time we can confirm that – to our best knowledge – the compromised system s did not contain any personal data of our players or users of our services.
We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate this incident.
To those who might not be aware, I want to make it clear that CD Projekt is the parrent company and CD Projekt Red is the studio that develops the video games.
The unreleased version of the Witcher 3 is most likely referring to the upcoming Remaster of the game that CD Projekt Red is working on.
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
A few hours after this tweet, CD Projekt’s account posted another message, this time aimed at their ex employees:
To our ex employees: As of this moment, we don’t possess evidence that any of your personal data was accessed. However, we still recommend caution (i.e. enabling fraud alerts). If you have questions, please write to our Privacy Team dpo[at]https://t.co/0UUMoqT5tF
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
This is the third time in the last four years the company gets hit by hackers. The first one occurred in 2016 and was a breach on the forums. The second one, a year later, was a hit at the company’s Cyberpunk 2077 game while it was still in development.
This most recent one from yesterday is a bit strange. It kind of seems like someone with a personal vendetta decided to hit CD Projekt for not delivering on everything that Cyberpunk 2077 was hyped and expected to have when it launched.
Whatever the reason of the “actor” as the official message refers to the hackers party, it is wrong to do this and from what we know and remember, it usually ends up bad for the attackers.
