The developer of the multiplayer space simulation game Star Citizen said it disclosed a data breach that exposed information tied to user accounts, according to a notice published by Cloud Imperium Games (CIG). The company said the incident involved unauthorised access to a corporate system that stored data associated with the game and its community. CIG said it learned of the breach after unusual activity was detected on the affected system and investigated with external cybersecurity specialists.
CIG said the compromised system contained information linked to individuals who have interacted with Star Citizen or related titles such as Squadron 42. The company said the breach exposed names, email addresses, dates of birth, account creation dates, and other account-related details. CIG said payment card information was not stored in the affected system and was not exposed in the incident. The company also said the incident did not impact game servers or gameplay functionality.
In its disclosure, CIG said it had no evidence that the exposed data was subject to misuse or that it was shared on public forums. The company said it reset passwords for accounts believed to have been impacted and notified affected users by email with steps to secure their accounts. CIG also said it implemented additional security measures intended to prevent similar incidents in the future.
The breach notice did not specify how the unauthorised access to the corporate system was achieved or when it first occurred. CIG said it discovered the activity after its security monitoring systems detected irregularities and that it promptly took steps to contain the incident and secure the affected systems.
CIG’s statement said that the affected system did not include full authentication credentials such as passwords in plain text, and that any sensitive authentication information stored there was stored in hashed form. The company said it advised users to enable multi-factor authentication to add an additional layer of account protection.
CIG did not provide a count of the number of accounts or users whose information was contained in the affected system. The notice was published to inform the company’s community and account holders that data associated with their accounts may have been exposed, even if no evidence of actual misuse had been observed.