CD Projekt Red, the embattled publisher of Cyberpunk 2077, disclosed on Tuesday that it was the victim of a ransomware attack in which hackers claimed to have gained access to confidential corporate data. Now it's being reported that the data, including source code for Cyberpunk 2077 and The Witcher 3, has likely been sold to an anonymous buyer.
Cybersecurity firm Kela today released screenshots of a post on hacking forum Exploit, allegedly posted by the attackers, saying they've received an offer for the data from outside the forum. They went on to say they ended an auction that they were running at the request of the buyer. Another cybersecurity-related Twitter account, vx-underground, subsequently confirmed the auction had closed.
The hack is emblematic of just how far CDPR's fortunes have fallen since Cyberpunk 2077 was rushed out last year to tough reviews, following nearly a decade of anticipation for the open-world game. The company's stock price is down 36 percent in the past six months and the company was forced to offer refunds to buyers who wanted to return Cyberpunk.
It's unclear how much money the purchased data went for. It's believed that the data also included copies of internal documents, like human resources files.
3D chess — CDPR in its public statement said it declined to give in to demands or negotiate with the hackers, even if that meant sensitive data would circulate online. Experts in cybersecurity typically advise against paying hackers in part because it's difficult to obtain real guarantees that the data will be forfeited in its entirely. Black hat hackers don't exactly care about doing what's morally right.
The auction for CDPR's data began following a leak of source code for its virtual card game Gwent, which was confirmed authentic by VICE. It seems likely that leak was made in order to prove it was a legit hack and drum up interest for the auction. It's possible CDPR itself might have caved after Gwent was leaked and paid up to prevent further damage.
Kela said the auction had a starting price of $1 million with a buy-it-now price of $7 million.
Source code — Source code cannot simply be read from a game disc because by then it's been compiled and converted into machine-readable ones and zeros, without any instructions for how the game was written originally. But if a person manages to find the original source code, however, they can recompile the game and re-distribute it, or create modifications that change the game's functionality. The code can also reveal valuable trade secrets regarding how different mechanics in the game were engineered. Other developers might use that information in their own games, though that seems unlikely due to the significant legal risks involved.