Roll20's 4M Accounts Hacked

The leading virtual tabletop, with over 4 million accounts, has been hacked. Roll20 was one of many victims in a major hack back in December 2018. No financial details were included.

Here is there current statement:

"Earlier today (2/14), Roll20 was named in a report as one of several victims of an attack by cybercriminals. While we can confirm a breach did occur, we are currently focused on finding out all the facts. For now, it’s important to note the report makes clear that no financial data was included in the breach. Our security teams work tirelessly to fix potential weaknesses in our systems, and we take seriously our responsibility to safeguard our users’ personal information.

Here’s how we do that:

• Roll20 only maintains the following personal information: users’ name, email address, hashed password, last login IP and time of login, and the last 4 credit card digits.
• We use Stripe and PayPal to process transactions; all billing information is handled by them and never touches our servers.
• We utilize bcrypt for password hashing, which means that it cannot be reverse-engineered for utilization with other sites or to access Roll20.

We know it’s frustrating to not have all the facts, and we’re working to uncover the full extent of this breach. We will be continuously updating our members with information as our investigation continues.

UPDATE 2/15 2:45 PM PT: Based off the account numbers from breached data, we've determined this took place on approximately December 26th.The data size (~700MB) is consistent with being our "account object," which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset.We are continuing to work internally and with outside investigators to determine the methodology of breach, while also fulfilling GDPR requirements and notifying appropriate law enforcement.Expect more details early next week"

Getting hacked is commonplace these days (you may recall this site was hacked a few years back), what's surprising is that Roll20 has 4 MILLION accounts. That certainly speaks to the growth of our hobby.

 

[Vampyr3]

I can't belive you are just brushing this off..They got hacked.. but hey there are 4 millon users! the hobby is great... sigh..

 

[Darren Richardson]

Every website on the planet is being hacked at some point in the year, it's a normal occurrence now so most people won't bat an eyelid when a hacker gets successful.

 

[DQDesign]

Luckily I never used that stuff

 

[Cergorach]

Every website on the planet is being hacked at some point in the year, it's a normal occurrence now so most people won't bat an eyelid when a hacker gets successful.

No, it isn't. Dismissing a security breach because everyone else is also being victimized by cyber criminals makes poor security alright. No, it isn't all right!

Mentioning 'security teams' is generally spin speak for there being none. Why would a company with ~10 people have multiple security teams?

e happens of course, but dismissing it and spinning it aren't good ideas.

Also keep in mind that Bycrypt is a 20 year old encryption method and has been passed by many other/better encryption methods. The advantage for Bycrypt is that it's 'light' on the server (requires little resources), but 8 years ago the consensus was already there that while attackers would have a hell of a time with just GPUs, FPGA's would crack the encryption a lot faster. That's also before certain shady individuals and companies now sit on huge GPU farms that's don't earn much doing mining cryptocurrency anymore... Not really an issue for people who use different passwords for each site they have a login for, but it could be an issue for others...

And while the last 4 numbers of a cc isn't enough to buy stuff on a cc, it is often used as part of a range of security questions. Thus usable for identity theft.

 

[cmad1977]

As a ‘victim’ of this hack I have no issue with the OPs conclusion nor do I think they’re ‘spinning, or brushing things aside’.

Calm down little ones.

 

[Emirikol Prime]

No financials so I'm not really caring.

 

[Vampyr3]

As a ‘victim’ of this hack I have no issue with the OPs conclusion nor do I think they’re ‘spinning, or brushing things aside’.

Calm down little ones.

Well, once the next "normal hack happens" and you get your ID stolen and your bank "hacked' which is normal.. I'm sure you will feel the same way?

 

[Henry]

I can’t speak to other countries, but I can confidently say that, if you live in the United States, some of your personally identifiable information (PII) has been released through a breach at least once in your lifetime, no matter how old you are. At the very least, multiple branches of the U.S. Government have been breached, exposing you, your wife/husband/S.O., and your children’s PII in some fashion.

No, it’s not right that it happens; no, it shouldn’t happen with the alarming frequency that it does; but everyone needs to be aware that it does, with that kind of frequency, every day of our lives. Just one breach of Yahoo! In 2016 exposed one BILLION client records of the company. The nonchalance that some people exhibit simply comes from having something that should be shocking occur incessantly.

 

[Zardnaar]

My AD&D books seem to be immune to hacking.