Star Citizen studio suffered a data breach in January, and some players aren’t happy with the very quiet disclosure that only happened this week

Star Citizen studio Cloud Imperium has reported a data breach following “a systematic and sophisticated attack,” which it says resulted in unauthorized access to some of its backup systems, “including limited access to users’ personal data.” The studio says it doesn’t believe the breach constitutes a safety risk and no financial or payment information was taken, but it’s nonetheless facing some criticism for how it disclosed the breach, and how long it took to do so.

The breach was reported in a message on the Roberts Space Industries website, which states, “On 21 January 2026, CIG was targeted by a systematic and sophisticated attack, resulting in unauthorised access to some backup systems, including limited access to users’ personal data. CIG acted quickly to contain the activity and block further access to this data and CIG systems, and we have refreshed security settings to ensure that there is no threat to our games or our users.

“While CIG is still monitoring the situation, we do not consider that the incident poses a risk to the safety of our users. The data impacted relates only to basic account details (i.e. metadata, contact details, username, date of birth, and name). No financial or payment information was stored in the affected systems and was not accessible. No passwords were impacted, and the access was read-only. No data-injection or modification occurred.

“We are closely monitoring the situation and our systems to ensure that no further incidents occur. We are also taking steps to assess and detect whether any data that was accessed is released publicly. At this stage, there are no indications of any such activity. We are sharing this update in the interests of transparency. However, we do not anticipate that this incident will have any impact on our users.”

That message is not actually linked on the RSI front page, however, and players weren’t notified of the breach via email, according to posts in the Star Citizen subreddit. There’s also no mention of it on Star Citizen social media channels. Instead, the notification reportedly appears as a pop-up when players log into their Star Citizen accounts, and the incident only came to more widespread light after players reported it to tech site The Register.

There’s also some criticism about the length of time it took for the breach to be revealed, although there’s some pushback on that from supporters who say six weeks isn’t an unreasonable amount of time in cases like this. Which is indeed sometimes the case: It took months for the Notepad++ data breach to come to light, for instance—but on the other hand, when Insomniac suffered a major hack in 2023, it put the word out in a week.

Of greater concern is the fact that data was stolen. While Cloud Imperium downplayed the risk, focusing on the lack of financial information in the stolen data, some followers say the information that was taken could potentially be used in social engineering attacks, particularly since the studio didn’t specify what the “metadata” contained.

“The thing is, if the metadata contained emails, alongside the name and date of birth, this could allow for some dangerous phishing emails to their entire userbase,” redditor swisstraeng wrote. “If true, we are extremely lucky not to have received phishing already, given the breach happened January 21st and we only received news now about it.”

“Small data breach including ‘metadata’ (which they refuse to describe), and personal information like address name and birthdate,” Watcherxp added. “This is not ‘small.'”

Others shared similar thoughts:

Comment from r/starcitizen

Comment from r/starcitizen

I’ve reached out to Cloud Imperium for more information, but for now that last message is good advice: Passwords may not have been accessed but change yours anyway, enable 2FA (I hate 2FA but until someone figures out a better way, it’s what we’ve got), and most importantly, do not click any links received via email because that’s where the trouble is likely to come from: Go to the website and do it manually, this time and every time. That might sound like old crank being cranky right now, but trust me, sooner or later you’ll thank me for it.