Star Citizen developer discloses January breach of backup systems

Cloud Imperium Games said on March 3 that attackers gained read-only access to some backup systems on January 21, exposing basic Star Citizen account information including names, dates of birth, usernames, contact details and metadata. The company said the incident was limited to backups and that no passwords or financial payment data were stored in or accessed from the affected systems.

"On 21 January 2026, CIG was targeted by a systematic and sophisticated attack, resulting in unauthorised access to some backup systems, including limited access to users’ personal data," the company wrote in a notice posted to its site. CIG said it contained the activity, blocked further access and refreshed security settings, and added that its teams are monitoring systems for any public release of data. "We are closely monitoring the situation and our systems to ensure that no further incidents occur. We are also taking steps to assess and detect whether any data that was accessed is released publicly. At this stage, there are no indications of any such activity," the statement said.

The developer behind Star Citizen and Squadron 42, founded in 2012 by Chris Roberts, operates five game studios and employs more than 700 people. The long-running Star Citizen project has attracted millions of players and hundreds of millions in crowdfunding while remaining in extended early access. Cloud Imperium did not disclose how many user accounts were present in the compromised backups.

Reporting outlets pressed the company for additional details that remain unanswered. CIG has not provided technical specifics about how attackers gained access, whether a third-party backup vendor or cloud provider was involved, how long the intrusion lasted, or whether law enforcement or an external forensic firm has been engaged. BleepingComputer said it asked CIG whether affected users had been notified and whether attackers made a ransom demand; a response was not immediately available.

Players and observers criticized the disclosure’s visibility on the company website, with one reader calling it a "Notice duly published in a locked filing cabinet stuck in a disused lavatory." The company’s site displayed a service alert linking to the notice, but outlets described the message as relatively low-profile until reporters flagged it.

CIG’s assertion that access was read-only and that no passwords or payment data were exposed cannot be independently verified from public reporting. Security commentators noted that even limited identity and contact fields can be repurposed for targeted phishing and account takeover attempts when combined with other leaked information from unrelated breaches. Reporters highlighted the risk that names, dates of birth and contact details could fuel credential-stuffing or social-engineering campaigns despite the company’s reassurances.

Key questions remain for affected users and regulators: how many accounts were involved, whether users have been directly notified and whether any data has appeared on public forums or criminal marketplaces. Cloud Imperium says it is investigating and monitoring for disclosures; it has yet to publish a technical postmortem or supply the specific remedial steps taken beyond refreshing security settings.