Hackers breach Star Citizen players’ personal data in January, but CIG only just got around to mentioning it

It’s lovely when we hear of “sophisticated” attacks that allow all and sundry to seemingly waltz into a company server that we have entrusted with keeping our secret stuff, well, secret, and well, do as they will with it.

Signing up for pretty much any online game these days involves a raft of, often unnecessary, details being handed over to faceless corporations who then treat them with all the reverence and security of writing them on the back of a cigarette packet and leaving it on a bar table.

It should not be acceptable for these hackers, who, let’s face it, are rarely the ones capable of breaking into sophisticated military systems, to be able to log on to a system and copy my personal information that I have entrusted to any company, onto their PC in their bedroom.

If that happens, there should be consequences, not just for the hacker, but for the company responsible, beyond a throwaway statement saying, nothing to see here.

Step forward today’s baddies, Cloud Imperium Games (CIG), which has posted the following on its website.

On 21 January 2026, CIG was targeted by a systematic and sophisticated attack, resulting in unauthorised access to some backup systems, including limited access to users’ personal data. CIG acted quickly to contain the activity and block further access to this data and CIG systems, and we have refreshed security settings to ensure that there is no threat to our games or our users. 

While CIG is still monitoring the situation, we do not consider that the incident poses a risk to the safety of our users. The data impacted relates only to basic account details (i.e. metadata, contact details, username, date of birth, and name). No financial or payment information was stored in the affected systems and was not accessible. No passwords were impacted, and the access was read-only. No data-injection or modification occurred.  

We are closely monitoring the situation and our systems to ensure that no further incidents occur. We are also taking steps to assess and detect whether any data that was accessed is released publicly. At this stage, there are no indications of any such activity. 

We are sharing this update in the interests of transparency. However, we do not anticipate that this incident will have any impact on our users. 

If you have any questions or notice anything unusual in connection with your account, please contact us, and our team will be happy to assist. 

Let’s start with the obvious. It’s March 3rd. Assuming we take the line, “CIG acted quickly to contain the activity and block further access to this data and CIG systems, and we have refreshed security settings to ensure that there is no threat to our games or our users.” at face value, and this all happened instantly enough to matter, why are customers waiting almost six weeks to hear that their personal data is in the hands of somebody it should not be?

“We do not consider that the incident poses a risk to the safety of our users.” – That’s not your decision. I decide whether somebody having MY data, when I do not know who they are, is a risk to ME. Can I have a say here?

“We are sharing this update in the interests of transparency.” – Oh, it seems a thank you is in order. Thanks for allowing somebody to get into your secure system, taking information about me away without my knowledge or permission, and then you are doing me a favour by letting me know. Seriously?

Next, these two lines are placed next to each other…

• We are also taking steps to assess and detect whether any data that was accessed is released publicly. At this stage, there are no indications of any such activity. 
• However, we do not anticipate that this incident will have any impact on our users. 

So it might still be released. Because, let’s face it, you have no say in whether it is or is not now? So you can’t actually say whether it will impact me and however many other people, or not, can you?

“The data impacted relates only to basic account details (i.e. metadata, contact details, username, date of birth, and name)”

So, assuming my username, date of birth, and contact details, at best just my email, are potentially out there, that’s actually quite a lot of personal information – enough to easily gain access to other services, should I be stupid enough (which I definitely am) to use the same or similar elsewhere?

And are we assuming with the sophistication of data brokers these days that having my date of birth and potentially my address is not enough to personally identify me? Even my mobile phone number will easily pin me down. It doesn’t matter that they don’t have the card details I last used to spend money with CIG when I bought the Star Citizen beta a decade ago.

Not only are all my details out there, but they have been out there since January 21st without my knowledge.

For context, this is a game that took over $2.5 million in a single day of November’s crowdfunded Expo on top of the gazillions that have been pumped into it by fans since its inception.

Unbelievable.