DriveThruRPG Hacked

Companies and websites getting hacked is a pretty regular occurrence these days (I've been notified just today of two breaches of companies I'm a customer of - the other is a mobile phone company). The latest victim is DriveThruRPG (also known as RPGNow), which has sent out emails to those who have made a card payment on the site since July 6th, as well as those who have their payment details stored on the site. The company has sent an email to both groups of customers. If you've used DTRPG or RPGNow in the last month or so, or if your details are stored there, be sure to check that there are no unusual transactions on your account.

The email reads:

Dear customer,

I regret to inform you that one of our servers suffered a security breach which may have compromised your credit card information.

You are receiving this email because you elected to store your credit card number on our server for future purchases. We store these numbers encrypted on our site, and we have no evidence the stored numbers were compromised during the breach. It is possible, however, that the encrypted numbers could have been copied and un-encrypted. We do not store your CVV code (the digits on the back of your credit card), making it difficult for the hacker to use your card number for online fraud. So while we think the data was not compromised, we wanted to inform you of the possibility. It would be safest if you contact your credit card issuer and ask for a replacement card. At the very least, you should check your card for any suspicious charges occurring on or after July 6th.

Our technical team has identified the issue and has secured our servers. Our websites are once again safe to use.

Information such as your name and email address were potentially compromised as well.

Login passwords are stored encrypted with a one-way hash and cannot be decrypted. You do not need to change your account password, but you are more than welcome to do so on your Account page at any time if you wish.

We are truly sorry this incident occurred and sincerely regret the inconvenience it causes you. Navigating credit card company call center menus is no one\'s idea of a good time.

Security has always been our top concern and up until this incident we were proud of our security record at . We will continue to do everything we can to keep our marketplace secure going forward.


Another version of the email, sent out to a different group of customers, has a different first paragraph:

You are receiving this email because you made a purchase (or attempted to make a purchase) on our site using a credit card between July 6th, 2015 and the morning of August 6th, 2015. There is a 50% chance that hackers were able to collect your credit card information. We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site, and also look over your most recent statements for any suspicious charges.

You can find more information on the website's support page.
 
Click to expand...

log in or register to remove this ad

Morrus

Morrus is the owner of EN World and EN Publishing, creator of the ENnies, creator of the What's OLD is NEW (WOIN), Simply6, and Awfully Cheerful Engine game systems, publisher of Level Up: Advanced 5th Edition, and co-host of the weekly Morrus' Unofficial Tabletop RPG Talk podcast. He has been a game publisher and RPG community administrator for over 20 years, and has been reporting on TTRPG and D&D news for over two decades. He is also on the socials.
Mr. Flibble

Mr. Flibble

Explorer
I found no suspicious transactions on either of the two accounts I've used on DriveThru in the last month or so, but I cancelled both debit cards as a precaution. I don't see a lot of alternative for avoiding this kind of thing except to not save card information in the future. Inconvenient, but keeping up with the hacker jerks is basically a data-security arms race, and I make it a general policy not to get involved in arms races any more than I can help.
 



J

jimmifett

Banned
Banned
Login passwords are stored encrypted with a one-way hash and cannot be decrypted.

Total horse manure.

With your PW hash, your random salt, and a rainbow table, your password can be brute forced by just about any marginally competent script kiddie. Distribute the brute force attempts over a bot net to parallel the process and greatly reduce time needed. Focus the effort away from joe schmoe random guy and match user table against orders table to find hi-frequency, medium spending individuals as primary targets and save a lot of trouble brute forcing accounts that probably aren't useful to begin with.

If you value your money and purchases at any site that has been compromised, ALWAYS change your credentials. Use passwords that are unique to any given site, don't reuse. Security 101.
 

Umbran

Umbran

Mod Squad
Staff member
Supporter
jimmifett said:
Login passwords are stored encrypted with a one-way hash and cannot be decrypted.

Total horse manure.

With your PW hash, your random salt, and a rainbow table, your password can be brute forced by just about any marginally competent script kiddie.
Click to expand...

Technically, that's not decryption. It is guessing so many times that you get the result by process of elimination. :p

It also assumes they got the salts as well as the hashes, which is not necessarily the case.

If you value your money and purchases at any site that has been compromised, ALWAYS change your credentials. Use passwords that are unique to any given site, don't reuse. Security 101.
Click to expand...

Agreed.
 


Morrus

Morrus

Well, that was fun
Staff member
jimmifett said:
Use passwords that are unique to any given site, don't reuse. Security 101.
Click to expand...


Unfortunately, most people are members of dozens if not hundreds of sites these days. Individual passwords for each and every one are sensible, but often not easy to use.
 

Falkus

Falkus

Explorer
Mr. Flibble said:
I found no suspicious transactions on either of the two accounts I've used on DriveThru in the last month or so, but I cancelled both debit cards as a precaution. I don't see a lot of alternative for avoiding this kind of thing except to not save card information in the future. Inconvenient, but keeping up with the hacker jerks is basically a data-security arms race, and I make it a general policy not to get involved in arms races any more than I can help.
Click to expand...

From what I can tell in the email, it wasn't the stored information that was compromised; but they were being harvested from the actual transactions.
 

J

Jefferson Jim

First Post
I received the email. I used a CC during the specified dates. I did not see any unusual activity. I was fairly certain I did not store my CC info on the site, because as a practice I wouldn't. So I thought it was unusual I received the email since it states "You are receiving this email because you elected to store your credit card number on our server for future purchases". Did this just blast to everyone?

How large of a pwd can you have on the site. I didn't see any password maximums. I know it accepts some punctuation chars.
 

Similar Threads

Mongoose_Matt
Mongoose is Hiring (Full-time Marketing Manager)
Replies
2
Views
603
Mongoose_Matt
Mongoose_Matt
B
Gamesurvey.org – academic research on hobby gaming community
Replies
6
Views
628
bayonetbrant
B
Egg Embry
NEGOCIOS INFERNALES: An Interview with Carlos Hernandez and C.S.E. Cooney
Replies
2
Views
4K
mykesfree
M
corporat
Let's Role virtual tabletop ceases new development (not to be confused with Role virtual tabletop)
Replies
0
Views
663
corporat
corporat
R
How Do You Decide What RPGs to Buy?
2 3 4 5
Replies
42
Views
3K
MintRabbit
MintRabbit

Related Articles

Remove ads

Latest threads

Remove ads

AD6_gamerati_skyscraper

Remove ads

Upcoming Releases

Top