DriveThruRPG Hacked

Companies and websites getting hacked is a pretty regular occurrence these days (I've been notified just today of two breaches of companies I'm a customer of - the other is a mobile phone company). The latest victim is DriveThruRPG (also known as RPGNow), which has sent out emails to those who have made a card payment on the site since July 6th, as well as those who have their payment details stored on the site. The company has sent an email to both groups of customers. If you've used DTRPG or RPGNow in the last month or so, or if your details are stored there, be sure to check that there are no unusual transactions on your account.

The email reads:

Dear customer,

I regret to inform you that one of our servers suffered a security breach which may have compromised your credit card information.

You are receiving this email because you elected to store your credit card number on our server for future purchases. We store these numbers encrypted on our site, and we have no evidence the stored numbers were compromised during the breach. It is possible, however, that the encrypted numbers could have been copied and un-encrypted. We do not store your CVV code (the digits on the back of your credit card), making it difficult for the hacker to use your card number for online fraud. So while we think the data was not compromised, we wanted to inform you of the possibility. It would be safest if you contact your credit card issuer and ask for a replacement card. At the very least, you should check your card for any suspicious charges occurring on or after July 6th.

Our technical team has identified the issue and has secured our servers. Our websites are once again safe to use.

Information such as your name and email address were potentially compromised as well.

Login passwords are stored encrypted with a one-way hash and cannot be decrypted. You do not need to change your account password, but you are more than welcome to do so on your Account page at any time if you wish.

We are truly sorry this incident occurred and sincerely regret the inconvenience it causes you. Navigating credit card company call center menus is no one\'s idea of a good time.

Security has always been our top concern and up until this incident we were proud of our security record at . We will continue to do everything we can to keep our marketplace secure going forward.


​

Another version of the email, sent out to a different group of customers, has a different first paragraph:

You are receiving this email because you made a purchase (or attempted to make a purchase) on our site using a credit card between July 6th, 2015 and the morning of August 6th, 2015. There is a 50% chance that hackers were able to collect your credit card information. We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site, and also look over your most recent statements for any suspicious charges.
​

You can find more information on the website's support page.

 

[Falkus]

If it was a man in the middle attack, which is implied by the email, it doesn't matter if you stored it or not. They took the information during the transaction.

 

[jimmifett]

It also assumes they got the salts as well as the hashes, which is not necessarily the case.

Anyone trying to access accounts always goes for the salts. Ideally, they are kept in a separate table, just to be annoying to the attacker, but many inexperienced devs will often place salts in same table as hashes to save a line of text for a join command or just not have thought of separating the two.

Quite correct that technically it is not decrypting, but DTRPG's statement gives a false sense of security and is disingenuous towards accounts being safe.

Personally, I add a fixed application salt intermingled into the random stored salt that would require the source code to figure out (or a great amount of time debugging to get at it). Not insurmountable (nothing is), but a little added difficulty.

TL;DR: change your password; better safe than sorry. Good advice is a password locker, store on a thumbdrive (and a backup thumbdrive) and generate random passwords for every site you care about.

 

[pickin_grinnin]

This is why I have started to use prepaid credit cards for online purchases. I just refill them when they get low.

 

[Hand of Evil]

1WearMySunGla$$e$@Night3603! all my passwords are about this long and look like this and changed every holiday, never reused, this one was around x-mas 2013. Also, use an low fund account to limit loss and have gone to cash for all other transaction.

 

[Umbran]

Quite correct that technically it is not decrypting, but DTRPG's statement gives a false sense of security and is disingenuous towards accounts being safe.

Again, you are assuming they got the salts. If DTRPG knows that they *didn't* get the salts, then their statement isn't disingenuous or particularly misleading.

And, you know, pardon them for not going into a detailed description of which cryptographic bits got out in a customer-relations e-mail. Those are only useful to a very small subset of the population, and confuse (and raise destructive anxiety) to the rest.

 

[jinnetics]

I didn't store my CC information on the site, and the 2nd paragraph of my email was different:

You are receiving this email because you made a purchase (or attempted to make a purchase) on our site using a credit card between July 6th, 2015 and the morning of August 6th, 2015. There is a 50% chance that hackers were able to collect your credit card information. We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site, and also look over your most recent statements for any suspicious charges.

 

[Morrus]

I didn't store my CC information on the site, and the 2nd paragraph of my email was different:

You are receiving this email because you made a purchase (or attempted to make a purchase) on our site using a credit card between July 6th, 2015 and the morning of August 6th, 2015. There is a 50% chance that hackers were able to collect your credit card information. We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site, and also look over your most recent statements for any suspicious charges.

Thanks! I'll add that info to the article.

 

[dpmcalister]

Unfortunately, most people are members of dozens if not hundreds of sites these days. Individual passwords for each and every one are sensible, but often not easy to use.

That's why you should use a password manager. I use LastPass and the $12 I pay a year is more than worth it. Combine that with two-factor authentication and you're a lot safer.

 

[Morrus]

That's why you should use a password manager. I use LastPass and the $12 I pay a year is more than worth it. Combine that with two-factor authentication and you're a lot safer.

Didn't LastPass itself get hacked in January?

http://www.forbes.com/sites/katevin...s-hacked-exposing-encrypted-master-passwords/

 

[Agamon]

Unfortunately, most people are members of dozens if not hundreds of sites these days. Individual passwords for each and every one are sensible, but often not easy to use.

This is why password managers are great. I have over 60 instances on mine, all completely different 10-character gobelty-gook and the manager I use (mSecure) is cross-platform, so all of my devices have all my passwords.