Hex the planet! CD Projekt RED old forum hacked

CD Projekt RED, the makers of The Witcher, are warning that unknown naughty people gained access to an old forum database of theirs in March 2016. RED say passwords were stored in a way that should keep them obscured but do say, just to be safe, that if you used that same password on other sites you should probably change it. (You know better than to reuse passwords, don’t you?)

I myself didn’t know I’d even registered for their forums — I couldn’t tell you when or why — so perhaps you did it yonks ago yourself. Be warned!

If you’re not using secure single-use passwords, please save yourself worry over warnings like this by using random passwords with a password manager like KeePass or Lastpass.

RED mentioned in December that the old forum may have been compromised, saying they had no evidence yet but would investigate. This week they posted an update confirming it, and overnight sent e-mails to affected users. The forum post explains:

“At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier. The forum engine has also been upgraded since then to the newest and most secure version, fixing the exploit that allowed said access.

“It is our understanding that the obsolete forum database contained usernames, email addresses and salted MD5 passwords (MD5 is an encryption algorithm we used to encrypt your data). This means your old passwords were secured and not directly accessible by anyone.

“However, it is still a best practice to ask users to change their passwords. Since the event, we’ve conducted additional external security tests and we will double our efforts to ensure such situations don’t occur in the future.”

RED sent a variant of this message in e-mails to registered forumeers, waking me up by binging my phone on this grim Saturday morning. The fungoid beside me jerked awake, hissing and ejecting empty whisky bottles from its black velveteen mass.

“What?” I murmured, fishing my phone out from a glob then staring confused at the e-mail. “When did…? Did I…? I’d better write this on RPS. Oh sure, it’s the weekend, but you can say ‘Hex the planet!’ and you know that’s just broken enough to delight you.”

Though my feet are shredded from stumbling across those broken bottles and fungal spores already bloom in the wounds, I’d say yes, “hex the planet” was totally worth it.

From this site

24 Comments

  1. DThor says:

    Yeps, strong, unique passwords FTW. Back when I first started using Keepass it was a hassle but now I’m in the rhythm it’s a no-brainer. Used to be nervous about having a handful of weak passwords scattered everywhere but now I only get nervous in the extremely rare case when I really feel the need to sign up somewhere away from the app, I strengthen it up later that day, and the database is rarely a step away from me on all the platforms I’m on.

  2. Mnyo says:

    Just a quick note : CD Projekt states that they use md5 and that “this means your old passwords were secured and not directly accessible by anyone”. That’s not really true : md5 is a very old algorithm that shouldn’t be used today, it’s vulnerable to different types of attacks and it’s easy to crack those hashes with today’s computers. Computerphile made a good video where they demonstrate how easy it is to break md5 encryption. (link to youtube.com)
    So definitely change those password and consider them compromised if you reused it somewhere else.

    • mavrik says:

      Well…. that depends. Properly salted MD5 is still really really annoying and time-consuming to crack and demands regeneration of rainbow tables for each password. So in that case it’s ok(ish).

      If not, it’s pretty bad yeah, especially if you have a simple password :)

      • TechnicalBen says:

        “Time” is not a concern anymore. As long as it’s not 1+years to crack/rainbowtable (or whatever) the passes with a botnet/server/gpu farm, then the re-use passwords remain valuable.

        If it’s MD5 hash for one time cookies/tokens, then yep, no worries, who has the time/power/speed to get an intercept before the session expires?

        But if it’s an existing service, document or personal details, the crooks can sit on the data, and as long as the marks are still alive, using the internet or have bank accounts, it’s possible to try the old pass in the new services…

    • aepervius says:

      Nowadays all forum encrypt their password with a key (in case you can get your password back) or simply salt it with a random key. You can even salt with a different random key for each user, and have another random master salt in your ini files, and hope for the best , that is that the hacker only get the table and ignore/do not have access to the executable (hashed password and first salt are then pretty much useless without the second salt).

      AS for MD5, yes it is possible to build collision, but look at the requirement : you need to be able to enter long chains of byte to get that effect. I doubt this would be a problem with most password fields. For a crap forum without monetary data, you almost certainly would not care. The only problem is when people reuse password. I disagree you need a strong password for a random forum. You need one where it count, email bank, etc… But for all 100’s of forum where I register ? Easy password it is.

  3. Premium User Badge

    rootfs.ext2.gz says:

    Might not be the best place to rant about this, but can we please just move away from MD5, salted or not? Surely more developers know that MD5 is just cryptographically bad due to security issues and just how fast it is to generate a hash.

    What I want to know is if is bcrypt still the kid on the block or has that been taken over now?

    • Mnyo says:

      I think bcrypt is still good, but the implementation seems to matter. Ashley madison used bcrypt and the hashes have been deciphered. Cf link to schneier.com

    • trjp says:

      Can we just move away from passwords for everything full-stop on account of how they’re useless and unnecessary in most cases.

      We need to stop demanding 20 characters including upper-case, lower-case, a symbol, 2 small mammals and a form of confectionery under 20calories

      We also need to stop asking for every password to be different, people cannot remember infinite passwords, should not have to use software to do so.

      Basically, sites are too-keen to build marketting lists and care not-1-jot about the users beyond that – time this stopped completely – third-party validation/using Google/Yahoo/Facebook etc. should be the norm for trivial shit like gaming forums and the like.

      That way you have your social media account(s), your bank accounts(s) and that’s just-about rememberable.

      Then you switch to hardware keys (e.g. smartphones and authenticators) for those and passwords are a thing of the past – at last.

      • Landiss says:

        No, thanks. I don’t want big corporations to have even more detailed knowledge about all my actions in the internet then they already have…

        • trjp says:

          Take your tin-foil hat off – you look like an berk.

          OpenID-type systems are not exclusive to ‘big corporations’ either – you could have any number of organisations offering an ‘ID’, use whichever you trust/prefer.

          Reminder: We’re talking about gaming here – t’s not important, privacy is not relevant and – indeed – throwaway anonymity is the cause of 90% of the bullshit in these places and we could live without it.

          • Landiss says:

            Oh, I had no idea this conversation would be so pleasant. I would love to continue this discussion, but the amount of love presented here is overwhelming and I need to take a step back. Have a nice weekend.

      • Ghostwise says:

        There are passwords managers. Passwords managers are nice. Free, too, for some good ones.

        • DelrueOfDetroit says:

          There’s also this thing called paper I hear it works pretty good with pan? Pon? Something like that.

          • Ghostwise says:

            Oh no, I’ve seen the movie. The blandly photogenic hackers find the paper with the passwords and then they stop the nice project from the kind gentleman in the volcano base with the nuclear warheads and the death’s head stormtroopers.

            Paper = bad.

          • trjp says:

            Sarcasm aside, pen and paper don’t work for people who are highly mobile and password managers aren’t so great for people who use a lot of different PCs and Mobile devices (there isn’t a single one which remotely works on all platforms).

            I deal with passwords and password issues for a living – I see how actual real people use this stuff and I get people asking me if I can remember the password I helped them setup in 2009 – I know a bit about this stuff and the solution is to bin the lot of it.

        • trjp says:

          Not sure if you’re not reading what I said or just a bit dim but most people don’t want/will not use software to track passwords and it shouldn’t be necessary anyway

          Password manmagers are a nerd solution to a nerd problem, complexity making complexity more complex.

    • aepervius says:

      SHA 256 is good enough and quick enough, but again md5 weakness lies in possible collision if the size is not checked, but you need relatively large data to be entered (yes I am aware of ONE chain of alphanumeric which has the same md5 of another, but it is really the unicorn rare like example, for password123 and similar stuff the chance is infinitesimal). Signing a program or important document would be a problem as you can easily pad stuff at the end. For a password it is not, as you will encounter the problem of adding random bytes.

      For hashing of something as unimportant as a forum, where the password field on the web are limited, you do not really care IMO which hashing, the main problem is to make sure there is a random salt to avoid rainbow table.

  4. Freud says:

    This is the reason I never give internet sites more info than they absolutely need. If I had followed Yahoo’s friendly reminder that my account would be safer if they just had my mobile phone number, my mobile phone number would have been part of the data base that got hacked.

    I’ll leave as tiny a digital footprint as I can.

    • trjp says:

      What you’re talking about there is everyone’s desire to gather AS MUCH information as possible – not because it’s useful but because it’s VALUABLE.

      Tech companies are less-and-less valued on their products as on their customer database – this is why they all want to you sign-up and register your life with them, because it actually increases their worth.

      What you’re doing makes sense – offer the least information possible to the fewest possible people. The end-point of that is taking-away companies obsession with collecting data themselves tho.

  5. jmtd says:

    1Password is very, very nice and a year subscription was included in a recent humble bundle so many of you may already have it.

  6. KastaRules says:

    This hacking forums thing is getting wild.

  7. maxbuttpayne says:

    What if theres this hacking thing but, listen to me, what if theres a fabulous musical in the making where how this bastard of a rotten text is read not only by little people but literally little people then how come not some beautiful piece of writ can counter that ****y drowned world of words within worlds.

    Tonight the proposal of HCK gets a little teapot from the shadow fox of Jade Empire how my god the presentation is delivered above the Witcher style of hard-ass magicka but not quite like that thing… where punk sensibilities get delivered with Tactical Sexy Combat, I mean how in the street of bullets stay hard no-nonsense blank stare without compromising my love of nothingness.

    I want the want to succeed where video game rock and roll takes my breath away. Please take it away, take my money while youre at it. I’m already a slave to your half-assed RPG fantasies, if you make it a fully fleshed out sex-punk world I will not hesitate, I will get deep, deeper than the developers ever imagined for such a little man. If all that makes no sense then be patient, for it will all make sense in the year of 2014.

  8. Papageno says:

    So what would the URL for the old forums be? Would it have the string “witcher” in it? If so checking LastPass shouldn’t be too hard.

Comment on this story

XHTML: Allowed code: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>