From Singapore: The message appeared as a small popup on a gaming website. It called itself a "Service Alert." For the millions of users who fund one of gaming's most ambitious and longest-running crowdfunded projects, it was anything but routine.
British games studio Cloud Imperium Games (CIG), the Manchester-based developer behind the sprawling space multiplayer title Star Citizen, has confirmed a cyberattack that took place on 21 January, 2026. The company disclosed the incident roughly six weeks after the fact, not through a direct email to affected users, but through a modest website notice that players had to stumble across or be tipped off about, as reported by The Register.
According to CIG's own published statement on its Roberts Space Industries website, attackers gained read-only access to backup systems containing user account metadata, contact details, usernames, dates of birth, and names. The company said no financial or payment data was held in the affected systems, no passwords were compromised, and no data was modified or injected. On those grounds, CIG concluded that it did not believe the incident posed a risk to its users' safety.
That assessment has not gone down well. Cybersecurity professionals and affected players alike have pointed out that names, dates of birth, and contact details are precisely the building blocks of a convincing phishing campaign. When combined with data stolen in separate, unrelated breaches — of which vast quantities circulate online — even basic account information can help criminals construct far more detailed profiles of individuals. The studio's reassurance, for many, missed that point entirely.
Frustration in the game's community forums has been volcanic. "WHERE IS THE EMAIL and FRONT PAGE NOTICE?" read the first comment in the relevant thread on the Roberts Space Industries forum. Others questioned why it took a full month for any communication to appear, and why that communication was buried rather than broadcast. One reader who tipped off The Register compared the company's approach to a notice "published in a locked filing cabinet stuck in a disused lavatory."
The timing raises a pointed regulatory question. Under UK GDPR, companies must report a notifiable breach to the Information Commissioner's Office without undue delay, and no later than 72 hours after becoming aware of it. Failing to notify a breach when required to do so can result in a significant fine of up to £8.7 million or 2 per cent of global turnover. CIG is registered in England and headquartered in Manchester, placing it squarely within the ICO's jurisdiction. Whether the company met its regulatory obligations in notifying the ICO, as distinct from notifying its users, has not been disclosed.
There is a fair argument to be made for CIG's position, even if it has been communicated clumsily. The data accessed does appear to have been limited. No passwords changed hands, no financial records were exposed, and the access was read-only. Companies regularly face difficult judgement calls about when a breach crosses the threshold of "high risk" that triggers direct user notification obligations. The ICO's own guidance acknowledges that not every incident warrants the same level of response. CIG may yet demonstrate it acted within the letter of the law.
But the law and good practice are not always the same thing. CIG's flagship product, Star Citizen, has been built over many years on crowdfunded contributions, and the company says its community numbers in the millions, though it has not said how many accounts were actually affected by this incident. That community has invested real money, in some cases thousands of dollars, into a game still in development. Trust is not an abstract commodity here. It is the business model.
The studio's handling of the disclosure sits at the uncomfortable intersection of legal compliance and community relations. Even if CIG clears every regulatory hurdle, the damage to user confidence from a six-week delay and a popup notice may prove more costly than any fine. Reasonable people can debate where the line sits between prudent caution before disclosure and an obligation to warn users promptly. What is harder to debate is whether a site popup constitutes adequate communication with a user base of millions who hold personal and financial stakes in the platform. On that question, the community has already delivered its verdict.