Hacked CD Projekt Red data is floating around the internet

The 'Cyberpunk 2077' developer says employee and contractor data has almost certainly leaked.

Earlier this year, Cyberpunk 2077 developer CD Projekt Red was hit by a massive ransomware attack. It didn’t take long for the hackers to sell their haul of stolen data — and now the game’s developers say that data is making its way around the darker corners of the internet.

“We are not able to confirm the exact contents of the data in question,” CD Projekt Red said in a Twitter statement, “though we believe it may include current/former employee and contractor details in addition to data related to our games.”

Mega yikes. When the hack first came to CD Projekt Red’s attention back in February, the company’s messaging centered around the assertion that no personal data had been stolen in the incident — just game code. Now the company seems to have additional info on the matter (it’s been working with law enforcement on the problem), and it turns out employee data has been compromised. And maybe even “manipulated or tampered with.”

As disappointing as Cyberpunk 2077 has been for many who waited years for its release, it’s hard to watch the company behind it going through such a miserable and long-lasting hacking experience.

The data’s…somewhere — CD Projekt Red’s messaging is — as we’ve come to expect from the company — abstract here. Every update thus far, including this one, has been full of maybe and we are not able to confirm.

CD Projekt Red refused to acquiesce to the hacker’s demands when it first became aware of the hack in February. Just days later the hackers claimed to have sold the stolen data on a hacking forum auction, but some threat analysts have said it’s unlikely the data was actually sold.

So what we know for sure is that some data has been stolen — not that of players but of employees and contractors — and it’s floating around on the internet just waiting to be weaponized.

Horrible no matter how you slice it — Thankfully CD Projekt Red has been more concrete in its messaging about how, exactly, it’s preparing for the possibility of similar breaches in the future. Here’s the full list of actions the company has taken thus far, as outlined in a new blog post:

  • Our core IT infrastructure has been redesigned and rolled out;
  • New next-generation firewalls with advanced anti-malware protection have been implemented;
  • A new remote-access solution has been employed;
  • The number of privileged accounts, and access rights to accounts, has been limited;
  • A new mechanism for the protection of endpoints, servers, and networks has been installed;
  • Our event-monitoring mechanisms have been improved;
  • We have expanded our internal security department;
  • We have established cooperation with multiple external cybersecurity & IT specialists.

CD Projekt Red has received boatloads of hate for the botched rollout of Cyberpunk 2077; some players replying to the company’s latest statement seem sure this is some form of karma. But no company deserves this kind of breach, not even one we love to hate on. Its employees certainly don’t, either. And besides, wouldn’t it be better if the company had time to focus on making the game good, rather than spending so many of its resources on this investigation?

The company says it’s continuing to work with law enforcement on responding to the hack. This saga isn’t over just yet.