CDPR:

Is the stolen Cyberpunk material from a hack that may include GOG members having compromised data?

I know you can't go into detail about an on-going investigation, but I am wondering if the info stolen was from a hack that may have included GOG member data and credit cards that may be on file or any other payment or personal data.

Was this a breach that may have affected millions of users and now we need to be on the lookout for suspicious activity or was it specific to the game?

Any info on this would help, thanks.

At some point GOG stated that they don’t store credit card data. Instead they store a token which is issued by the CC processors and is valid on GOG only. So even if someone would compromise their database, they couldn't use those tokens anywhere else.

I didn't know that as I have never stored the CC and always fill it out the payment information as a one-time for each and every transactions.

Thanks for that info.

This is actually bit less secure than what GOG (claims to) do. Everytime you enter the raw CC info and someone sees it travelling over the internet, they could freely use it. SSL isn't unbreakable - it relies on all certification authorities being honest, and not issue certs to domain without confirming domain ownership. There were already fake certs for google.com I think. Security is always game of cat and mouse.

With the token method, GOG could put their database on public ftp and no one would be able to misuse it (to get at your money at least) anyway.

I know how the tokens work and know that it is still not perfect. GOG also has other private and personal data so it is still concerning for many fraud possibilities even if the CC isn't taken - which is usually the easiest to deal with these days as fraud is covered.

So no response from CDPR is worrying now at this point.

You're worrying about nothing. No organization worth a damn is going to use the exact same system and servers for everything. If one high level account was compromised someone would "have the keys to the entire kingdom".

Maybe if we're talking Sony... but literally anyone else that knows anything is not going to store customer data using the same system as dev projects and the like. There is no reason to, and afaik GOG and CDPR are sister companies, not the same entity.

If they were hacked for that information they would have said as such. One doesn't need to be hacked to have information leak out to the public.

Why do you believe that?

Sony didn't release news of their breach in a timely manner, nor did Target. Yahoo! didn't tell anybody, and then when they finally did tell of a breach, they didn't mention a second hack or anywhere near the size and scope they were hacked and it cost them an extra half-billion dollars off their sale price to Verizon.

Because it is required by law in many countries to inform customers of data breaches. That of course doesn't mean that everyone complies with such laws when breaches happen, but there are legal consequences to not doing so which ultimately end up costing companies even more money for non-compliance.