CDPR leaked data makes it way online. Console SDK's, games, and future game sourcecode leaked

[WolframaticAlpha]

Summary

CDPR was the victim of a massive cyberattack a few months ago. Well, now the leaked data is reaching the hands of the public. The hackers may have also leaked the PS5, PS4, xbox series and nintendo switch SDK's "as a show of their goodwill".  Since all of the content is in a torrent, the veracity of the files cannot be fully verified. However in the readme of the hackers have also leaked the cyberpunk, witcher and thronebreaker source code. The files are password protected, and can only be unlocked from a 10000 dollar fees to the hacker/seller. This data had been sold in an auction for 7 million dollars.

 

 Quotes

Quote

The stolen data was said to include the source code files for CD Projekt Red’s game development engine, RedEngine, and titles including The Witcher 3: Wild Hunt, an upcoming ray-traced version of The Witcher 3, Thronebreaker: The Witcher Tales and Cyberpunk 2077.

Quote

Additionally, the leak also includes SDKs for PS5, PS4, Nintendo Switch, and the Xbox Series X. All considering these are meant for developer use only, that is a rather huge leak. It is, however, important to note that the SDK alone shouldn’t lead to these consoles (specifically PS5 and XSX) being exploited. While yes, these SDK would allow the creation of homebrews, there is no way to actually run them, at least until specific consoles are exploitable. Thankfully, next-gen consoles have yet to be publicly exploited.

Quote

Those downloading the public torrent currently can’t access all the files, however, as the archive is password protected. It is reported that the leakers do intend to release the password soon via an onion URL.

This seems to confirm reports from back in February, which claimed the original hackers had sold the stolen files in an auction. 

Assuming the files do get unlocked, this is going to cause more legal headaches for CD Projekt Red. Currently, investigations are still ongoing into the source of the attack but the culprits have not been found yet. 

My thoughts

This is a pretty major developement. I hope that CDPR actually fixes their game. No developer should face the shit being hurled at them. Criticism is fine, but such malicious attacks are wrong

 

This alsp illustrates the importance of good opsec

 

Sources

Report: CDPR Data Breached Files Make Their Way Online, Includes SDKs for PS5, Xbox Series, and Switch - MP1st

Stolen CD Projekt data including Cyberpunk’s source code has reportedly leaked | VGC (videogameschronicle.com)

CD Projekt Red source code and stolen assets reportedly leaking publicly | KitGuru

Edited June 4, 2021 by WolframaticAlpha
Thank you @Master Disaster for correcting

[da na]

Very interesting... Wonder how this may progress in the future.

[Vishera]

Could be infected with malware.

[Master Disaster]

Errr, $10K for the password. Thats $10,000.

 

This kind of supports the theory that they were unsuccesful at actioning the data, unless they took the money then released it anyway.

[Spindel]

6 minutes ago, Master Disaster said:

Errr, $10K for the password. Thats $10,000.

 

This kind of supports the theory that they were unsuccesful at actioning the data, unless they took the money then released it anyway.

Can't we just do a F@H project and brute force the password/encryption  

 

Hack the hackers

[Sauron]

33 minutes ago, WolframaticAlpha said:

10 dollar fees

the text file says 10k dollars, as in 10000

35 minutes ago, WolframaticAlpha said:

This is a pretty major developement. I hope that CDPR actually fixes their game. No developer should face the shit being hurled at them. Criticism is fine, but such malicious attacks are wrong

Nah, they deserve this and more - the people potentially losing money from this (even though I'm very skeptical they'll actually face a significant financial hit) are exactly the ones responsible for abusing their employees and forcing them to produce the awful shitshow that cyberpunk 2077 turned out to be. Though of course, this is iLlEgAl and therefore you should never do it.

20 minutes ago, Grand Admiral Thrawn said:

That would be a truly 5head move.

 

Imagine being a company selling games and you leave a vulnerable server full of malware infected source code or even full games and a hacker distributes it around the world.

Since AFAIK owning a malware database is not illegal.

This has been done multiple times, not with malware as far as I know (because that would get very dodgy from a legal standpoint) but with "joke" versions of software, e.g. games that would let you progress only until a certain point and them troll you or show problems that would lead you to identify yourself in support requests.

[Sauron]

Just now, Spindel said:

Can't we just do a F@H project and brute force the password/encryption  

 

Hack the hackers

Sure, are you sure you won't need your computer before the heat death of the universe?

[TheReal1980]

I won't lose any sleep if any of these hackers slip in the bathtub and hit their heads.

[WolframaticAlpha]

1 minute ago, Sauron said:

the text file says 10k dollars, as in 10000

I corrected it now. Thank you for pointing it out. Also thank you @Master Disaster

[WolframaticAlpha]

1 minute ago, Sauron said:

Sure, are you sure you won't need your computer before the heat death of the universe?

I am actually a proponent of the big crunch.

 

But bruteforcing mightn't be that hard. 

Ultimate triple cross would be malware ridden files in the archive you managed to bruteforce

[Sauron]

3 minutes ago, WolframaticAlpha said:

But bruteforcing mightn't be that hard. 

all of our modern security relies on it being that hard.

[WolframaticAlpha]

9 minutes ago, Sauron said:

all of our modern security relies on it being that hard.

Internet stupidity vs Foundation of modern security?

 

Internet stupidity WILL win

[Sauron]

Just now, WolframaticAlpha said:

Internet stupidity vs Foundation of modern security?

 

Internet stupidity WILL win

uhhhh... no. it's cheaper and infinitely faster to just pay the money if you really want this. I don't even know why you'd want this, you can't be caught using it so it's not like you can make your own witcher 3 clone and make bank, or make custom patches for it or whatever.

[WolframaticAlpha]

2 minutes ago, Sauron said:

uhhhh... no. it's cheaper and infinitely faster to just pay the money if you really want this. I don't even know why you'd want this, you can't be caught using it so it's not like you can make your own witcher 3 clone and make bank, or make custom patches for it or whatever.

OPENSOURCE Cyberpunk. It'll get fixed in two weeks

[Sauron]

Just now, WolframaticAlpha said:

OPENSOURCE Cyberpunk. It'll get fixed in two weeks

yeah but that's something only cdpr can willingly do. also even if someone fixed the bugs it wouldn't fix the plot. and I don't believe a handful of volunteers can do better in two weeks than hundreds of (though meagerly) paid employees can do in years.

[Blademaster91]

2 hours ago, Sauron said:

Nah, they deserve this and more - the people potentially losing money from this (even though I'm very skeptical they'll actually face a significant financial hit) are exactly the ones responsible for abusing their employees and forcing them to produce the awful shitshow that cyberpunk 2077 turned out to be. Though of course, this is iLlEgAl and therefore you should never do it.

No they don't lol. I think CDPR could've launched CP2077 better, but they don't deserve cyberattacks because people are upset over game bugs.

The people getting hurt from the malicious attacks are the the CDPR employees, malicious attacks like this usually result in companies getting rid of staff because the company loses money.

This doesn't affect you as a consumer unless you pre-ordered the game or bought it without looking at reviews first, but if you don't like the game no one is forcing you to buy it.

Edited June 4, 2021 by Blademaster91
fixed spelling

[StDragon]

I genuinely feel bad for CDPR. While they screwed up in the console launch (steaming pile o crap of code) and buggy PC version, they really have an otherwise good game. I don't regret the purchase and will get around to playing it again once I can upgrade the GPU. That, and patching should make the game more mature from a development standpoint. But COVID delays combined with GPU shortages along with ransomware really disemboweled the company and their momentum in the gaming industry. Which is sad, because Cyberpunk 2077 didn't deserve this kind of launch IMHO. It was completely avoidable!

[BuckGup]

1 hour ago, Spindel said:

Can't we just do a F@H project and brute force the password/encryption  

 

Hack the hackers

Yeah it's a 7zip archive so you totally could. You could use hashtopus which is a distributed computing wrapper for hashcat 

https://github.com/curlyboi/hashtopus

 

[SansVarnic]

-= Derailment Removed =-

Lets keep this On Topic. This is a discussion about a hack/leaked data, not how a company treats its employees. That is another discussion for another thread.

[Levent]

Interesting. So technically Sony and Microsoft can be involved now as they leaked their SDK right? I dont think Sony has a SDK that is open to public and I know Microsoft requires at least some acknowledgement for terms and uses before letting user have any XDK access.

[Orangeator]

3 hours ago, Sauron said:

Sure, are you sure you won't need your computer before the heat death of the universe?

Would it really take that long? I'd imagine a single 3080 could attempt billions of operations (i.e., passwords) at a file per second. Combine the forces of a couple thousand high end GPU's, I'd imagine you'd be able to guess trillions of passwords per second. Lol.

[samcool55]

1 hour ago, Orangeator said:

Would it really take that long? I'd imagine a single 3080 could attempt billions of operations (i.e., passwords) at a file per second. Combine the forces of a couple thousand high end GPU's, I'd imagine you'd be able to guess trillions of passwords per second. Lol.

Yes it CAN take that long.

It all depends on what kind of encryption they used.

Stuff like AES-256, good luck getting like 10k tries per second.

MD5 can easily hit 1M tries even on older hardware.

[wanderingfool2]

1 hour ago, Orangeator said:

Would it really take that long? I'd imagine a single 3080 could attempt billions of operations (i.e., passwords) at a file per second. Combine the forces of a couple thousand high end GPU's, I'd imagine you'd be able to guess trillions of passwords per second. Lol.

Yes, it would realistically take too long to use.

 

Notes:

Password cracking for decryption is harder than just password cracking with hashes.  With that said, apparently the 3090 can do slightly less than 3.5 billion a second (let's round that up to 10 billion a second though) https://www.extremetech.com/extreme/316266-the-nvidia-rtx-3090-gpu-can-probably-crack-your-passwords

 

Assume they used just an 8 character password, 0-9....that's 50,000,000 on average guesses needed (worst case 100,000,000).  So cracked in milliseconds easy with modern hardware (a-z,0-9) [The formula being 10^8/2 for average case)

Let's add on the fact most people would have a letter.  (a-z,0-9)[36 items].  36^8/2 roughly 1.4 trillion on average.  So yea, cracked in ~140 seconds.

Now, lets say they actually used capitals.  (a-z,A-Z,0-9)[62 items].  62^8/2 roughly 109 trillion on average.  Still solvable though, might take 3 hours on average

Let's add 8 special characters, (a-z,A-Z,0-9, [.<>!_$^?]) [70 items]. 70^8/2 roughly 288 trillion on average.  Those 8 extra characters nearly 2.5x the time it would take.

 

Let's say since they were hackers they decided to use a still small password length of 12 (anyone trying to protect data would likely use more)

70^12/2 roughly 6,920,643,600 trillion on average. (Assuming 10 billion a second, and 10 million people using their cards to try solving that's about 19 hours)

 

Let us say though they used a 15 character password.  70^15/2, assuming 10 billion a second, and 1 trillion cards, which is wildly unrealistic (10b * 1t = a whole lot); that's still about 3 days with 1 trillion cards

[Sauron]

2 hours ago, Orangeator said:

Would it really take that long? I'd imagine a single 3080 could attempt billions of operations (i.e., passwords) at a file per second. Combine the forces of a couple thousand high end GPU's, I'd imagine you'd be able to guess trillions of passwords per second. Lol.

We're dealing with combinatorics in the order of 10⁴⁰ for a 20 character password, trillions of operations per second are nothing.

[WolframaticAlpha]

2 minutes ago, Sauron said:

We're dealing with combinatorics in the order of 10⁴⁰ for a 20 racter password, trillions of op

It would be pretty friggin awesome if cdpr or someone, hacks into the hackers, and deletes all their files. If they release the files still, we are dealing with savants, or the password is easy.