Hack of the old forum

[plzlol]

Hack of the old forum

I was just made aware via haveibeenpwned.com that the old cdprojecktred forum database was compromised.
WHY THE FUCK didn't you send an email directly to all forum members about this ? This is your responsibility to advise your customers in this kind of situation !
You simply posted on a game forum a very plain and simple message, without any detail ! How were the passwords stored ? what was the level of encryption ? what did you do so that this situation doesn't happen again in the future ?

 

[Accophox]

Well, to fill in a couple of the details now, reading from the ihavebeenpwned email... Salted sha1. Estimated to cost about $75000-120000 of EC2 compute power to brute force a hash in 2015.

 

[majikthiseuk]

There's a few points I'd like to add to this.

First the message informing users is buried in the news section for The Witcher ONLY not any other section of the forum.
It's not pinned meaning it will fall off the front page.
The breach was in March 2016 (I realise it takes time to investigate)
The notice was posted in December with no attempt to inform users needing a 3rd party to inform people more then a month later.
This thread was moved from General to W3 Technical support which is not where it should be, since it a general issue to all forum users and not specific to W3.

So I'd like to echo the sentiment of the OP. Why was no attempt made to inform users directly via email of the breach so people could at least have a heads up from CPR that they should change their passwords nor is there a mandatory password reset enforced?
Regardless of if the user has 2FA people should have been informed in a much better and much quicker way or are you resting on the fact the GoG system is more secure?
What steps have been taken to ensure that no further breaches happen?

Unfortunately these are important questions that do need some answers.

 

[DiiVerZe]

How on earth do you change your password on this forum? Is it done through GoG or something?

 

[Riven-Twain]

Is it done through GoG or something?

Yes, you can change your password through Galaxy, or from GOG's website under Account: Orders &Settings (or Settings & Privacy for Galaxy): Login and Security.

 

[Gilrond-i-Virdan]

There's a few points I'd like to add to this.

First the message informing users is buried in the news section for The Witcher ONLY not any other section of the forum.

Good point. I'm not browsing through The Witcher section much, besides for a few followed posts. Such announcements should be made in each subforum, including Community.

 

[Marcin Momot]

You can find all the details about this situation here, here and here.

 

[volsung]

Hmm, regular forum posts to inform about this. Uh huh. Considering I get email notifications for things as simple as private messages, it wouldn't have hurt to 1) Send this message to everyone directly by email or 2) Send a private message to everyone. You know, in case it's important.

 

[Kinley]

Hmm, regular forum posts to inform about this. Uh huh. Considering I get email notifications for things as simple as private messages, it wouldn't have hurt to 1) Send this message to everyone directly by email or 2) Send a private message to everyone. You know, in case it's important.

The fact that an update only came after haveibeenpwned took it to social media yesterday and that the original notifying thread wasn't even stickied to start with (not to mention it was posted in a section that was pretty much dead at the time already and wasn't even propagated through other, more prominent, CDPR social media channels) probably indicates that this was intended to be kept hush hush.

 

[Gilrond-i-Virdan]

You can find all the details about this situation here, here and here.

Good, but Community is a separate subforum, so if you only mostly visit it, you won't notice any of the other announcements.

 

[Garrison72]

"Oh by the way guys, like months ago, your info was totally compromised. But NOWORRIES BRO. We totally got it...just look at our forum history. We're experts man. We have Galaxy and it's only been in beta 23 years now. Totally safe".

 

[Garrison72]

You can find all the details about this situation here, here and here.

You need to step up the communication, No one is asking for the company's life story here. Your inability to accurately fucking communicate when something like this happens is pathetic. Do it better.

 

[volsung]

The sad thing is that this isn't really surprising. CDPR's communication has been terrible for years, we even had a thread dedicated to it. It's clear REDs barely participate in the forums and don't interact with us much, but we stick around because other people make this place OK. No one can really be expected to bother with the news section, if REDs are barely around and many of us don't visit often.

We can tolerate the lack of game related feedback but some things, the really important ones, have to be communicated properly. Otherwise why bother with the forums at all?

CDPR: Didn't you learn anything from the GOG "DRM as a favor" PR disaster of a few years back? Your customers seem to value integrity and transparency.

We don't expect you to be perfect, even Ebay and other massive companies have had leaks. If you want to have forums though, please do a better job.

Also this might seem petty but when something like this happens you need to watch your phrasing. Those posts sound dismissive and non committal, like "oh btw, this tiny thing happened some time ago, here's a tip though: change your password".

And just to end with a bit of humor:

We would like to deeply apologize (...)

... but you won't?

 

[Kinley]

but we stick around because other people make this place OK

People? Where?!

 

[Kinley]

Email update I've received (and all of us should have it by now, I hope) earlier today:

Dear Forum Users,

Recently it has come to our attention that an obsolete cdprojektred.com forum database was accessed by an unauthorized party sometime in March 2016.

At the time of the event, the database was not in active use, as almost a year earlier forum members had been asked to create secure GOG.com accounts for login purposes. These accounts are additionally protected by two-step authentication. The forum engine has also been upgraded since then to the newest and most secure version, fixing the vulnerability that allowed said access.

It is our understanding that the obsolete forum database contained usernames, email addresses and passwords that were hashed and “salted.” Salting is a common practice that involves adding random characters to the password when hashing to increase security. It is this, a “salted hash” of a password, that was stored in the database and that was accessed. Your passwords were not stored in plain text, hence they were not directly accessible by anyone.

However, in circumstances such as this, it is still advisable for users to change their account passwords. You can set your new password here.

Since the event, we’ve conducted additional external security tests, and we will double our efforts to ensure such situations don’t occur in the future.

We would like to deeply apologize to everyone affected.

CD PROJEKT RED Forum Staff

Appreciated update even if it came a bit late. Cheers.