If you’re a big enough The Witcher fan to have joined CD Projekt Red’s official forums, you may be in for an unpleasant surprise. Members signed up to Have I Been Pwned have received emails warning them of a reported hack in March 2016 that compromised over 1.8 million forum accounts. Passwords were encrypted, thankfully, but you’re encouraged to change your login just in case. The issue isn’t so much the actual threat as the lack of notifications — for many, this is the first sign that something went horribly wrong.
As it turns out, the game developer posted about the breach on its forums in mid-December. It touched on many of the details back then, including the encrypted passwords and that it’s a “now-obsolete” database. However, the info stayed tucked away in the company’s official The Witcher news sub-forum, where not many people are likely to go (let alone pay attention to security issues). Even a follow-up complaint on January 31st of this year got moved to a technical support forum where it’s unlikely to be seen. Users are wondering: why didn’t CD Projekt Red email everyone, even if didn’t think the breach was serious?
We’ve asked the company for comment and will let you know if it has something to add. With that said, it’s clear that there’s some room for improvement. Forum hacks certainly aren’t unheard of, but it shouldn’t take several months to put up a forum post, let alone 10 months for most users to find out. If the passwords hadn’t been secure, the damage could have been extensive.