Internet’s largest hacking forum removed its DDoS-for-hire section after being linked to Mirai attacks
Usernames, hashed passwords and email addresses related to 1,871,373 accounts leaked iStock

CD Projekt Red, the Poland-based developer behind the popular 'Witcher' game and comic series, has been hit with a forum hack that compromised over 1.8 million user credentials, according to breach notification service HaveIBeenPwned.

It reportedly took place in March last year and exposed usernames, passwords and email addresses related to 1,871,373 accounts in total. Many of those signed up to HaveIBeenPwned woke up this morning (31 January) to a notice warning them about the incident.

"Sometimes there can be a lengthy lead time of months or even years before [leaked] data is disclosed publicly," it read. "HaveIBeenPwned will always attempt to alert you ASAP, it's just a question of how readily available the data is."

Security expert Troy Hunt, who runs the breach notification website, tweeted after making the scope of the leak public: "Total of 8,110 individual @HaveIBeenPwned subscribers and 812 domain subscribers just got notices on this. Pretty high hit rate."

On The Witcher's Reddit page, one impacted user wrote: "I and many others might have been notified about the CDPR data breach. HaveIBeenPwned just notified me that I am part of the 1,871,373 accounts in the data breach. Please don't hate too much CDPR, f**k ups happen."

IBTimes UK contacted CD Projekt Red for comment however had received no response at the time of publication. In a previously-released statement uploaded to the firm's forum, the IT team referenced a breach, however provided little solid information at the time.

"It has come to our attention that the now-obsolete forum database might have been accessed and copied from our server by an unauthorised party," it said. "It's the old database we used to run the forum before we migrated to the login system powered by our sister company"

It continued: "While we have no concrete evidence at this point in time that supports saying this actually took place, acting with the community's best interest in mind, we still want you to be aware of the situation.

"If any passwords had been downloaded, they would have also been encrypted. However, we strongly encourage every user to change their password as a precautionary measure. We are sorry for the inconvenience this might have caused."

It is not the first gaming breach of the year. Earlier this month, Supercell, the developer of mobile game Clash of Clans, admitted its forum had been targeted in a hack that compromised 1.1m usernames, hashed passwords and IP addresses.