The database apparently included user information such as account names and encrypted passwords. Additionally, at least a part of the passwords has apparently been cracked during by the unidentified intruder and it's possible that they also had access to account information such as billing addresses and incomplete credit card numbers. All accounts that Cryptic believes were in the database already had their passwords reset, but it would be in good form to change it anyway for anyone that possesses such an account.
While we have no evidence that any other information was taken by the intruder, it is possible that the intruder was able to access additional account information. If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed. We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user.
We are continuing to investigate this incident, and are taking even further action to strengthen our systems and redouble our security vigilance and protections. For your own security, we encourage you to be especially aware of e-mail and postal mail scams that ask for personal or sensitive information. Cryptic will not contact you in any way, including by e-mail, asking for your credit card number, social security number, or any other personally identifiable information. If you use the same password for other accounts, especially financial accounts or accounts with personal information, we strongly recommend that you change them.
It's bad enough that this kind of accidents happen, but discovering it almost 2 years later? Jeez.