Cyber Incident Victim: Rockstar Games
Date:
Sep 2022
Location:
United States of America
Summary
A threat actor breached Rockstar Games' Slack and Confluence servers, stealing and leaking confidential data including Grand Theft Auto 6 gameplay videos, source code, and assets. The hacker, operating under aliases 'teapotuberhacker' and 'TeaPots,' shared 90 debug videos on GTAForums and later leaked portions of the source code on Telegram while attempting to extort the company. Rockstar confirmed the network intrusion, acknowledging unauthorized access to early development footage but stated no expected disruption to live services or long-term project impacts. The leaked material spread across platforms like YouTube and Twitter, prompting copyright takedown notices from Take 2 Interactive. The attacker also claimed responsibility for a contemporaneous Uber breach, though this remained unverified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 18, 2022, a threat actor using the alias 'teapotuberhacker' leaked 90 gameplay videos and portions of source code from Grand Theft Auto 6 on GTAForums. The hacker claimed to have obtained the materials by breaching Rockstar Games' internal Slack communications server and Confluence wiki, stealing confidential development assets including early build footage, source code for GTA 5 and GTA 6, and testing builds. The leaked videos showed debugging sequences featuring camera angle tests, NPC interactions, and Vice City environments, some containing voiced character dialogue. To substantiate their claims amid initial skepticism, the hacker released screenshots of GTA V and GTA 6 source code and asserted responsibility for a contemporaneous Uber breach under the 'TeaPots' moniker. Bloomberg independently verified the leak's authenticity through Rockstar sources. Despite lacking technical confirmation of the intrusion method, the attacker attempted to extort Rockstar by threatening further disclosures while offering GTA V source code for sale at prices exceeding $10,000.
Rockstar Games responded by issuing DMCA takedown notices through parent company Take-Two Interactive, successfully removing some videos from YouTube and Twitter. However, the content proliferated through Telegram channels where the hacker released additional materials, including a 9,500-line GTA 6 source code file related to in-game script execution. On September 19, Rockstar confirmed a network intrusion had occurred, acknowledging unauthorized access to confidential systems and theft of early development footage for their next Grand Theft Auto title. The company stated no anticipated disruption to live services or long-term project timelines but expressed disappointment over the premature disclosure. No technical indicators of compromise, forensic details about the Slack/Confluence breaches, or data protection measures were disclosed publicly. The incident marked one of the gaming industry's most significant pre-release leaks, exposing unreleased intellectual property through compromised collaboration platforms.