DriveThruRPG Hacked

Companies and websites getting hacked is a pretty regular occurrence these days (I've been notified just today of two breaches of companies I'm a customer of - the other is a mobile phone company). The latest victim is DriveThruRPG (also known as RPGNow), which has sent out emails to those who have made a card payment on the site since July 6th, as well as those who have their payment details stored on the site. The company has sent an email to both groups of customers. If you've used DTRPG or RPGNow in the last month or so, or if your details are stored there, be sure to check that there are no unusual transactions on your account.

The email reads:

Dear customer,

I regret to inform you that one of our servers suffered a security breach which may have compromised your credit card information.

You are receiving this email because you elected to store your credit card number on our server for future purchases. We store these numbers encrypted on our site, and we have no evidence the stored numbers were compromised during the breach. It is possible, however, that the encrypted numbers could have been copied and un-encrypted. We do not store your CVV code (the digits on the back of your credit card), making it difficult for the hacker to use your card number for online fraud. So while we think the data was not compromised, we wanted to inform you of the possibility. It would be safest if you contact your credit card issuer and ask for a replacement card. At the very least, you should check your card for any suspicious charges occurring on or after July 6th.

Our technical team has identified the issue and has secured our servers. Our websites are once again safe to use.

Information such as your name and email address were potentially compromised as well.

Login passwords are stored encrypted with a one-way hash and cannot be decrypted. You do not need to change your account password, but you are more than welcome to do so on your Account page at any time if you wish.

We are truly sorry this incident occurred and sincerely regret the inconvenience it causes you. Navigating credit card company call center menus is no one\'s idea of a good time.

Security has always been our top concern and up until this incident we were proud of our security record at . We will continue to do everything we can to keep our marketplace secure going forward.


​

Another version of the email, sent out to a different group of customers, has a different first paragraph:

You are receiving this email because you made a purchase (or attempted to make a purchase) on our site using a credit card between July 6th, 2015 and the morning of August 6th, 2015. There is a 50% chance that hackers were able to collect your credit card information. We recommend that you contact your credit card issuing bank and ask them to replace any cards that you used for charges on our site, and also look over your most recent statements for any suspicious charges.
​

You can find more information on the website's support page.

 

[dpmcalister]

Didn't LastPass itself get hacked in January?

http://www.forbes.com/sites/katevin...s-hacked-exposing-encrypted-master-passwords/

Yes but no accounts were compromised - and two-factor authentication limits your risk as well.

It does show that not everything is perfect, but you've got to at least try to protect yourself.

 

[Agamon]

Didn't LastPass itself get hacked in January?

http://www.forbes.com/sites/katevin...s-hacked-exposing-encrypted-master-passwords/

That's why I use mSecure. Data is stored locally, and mSeven doesn't have any master password info.

 

[Simon Collins]

Until PayPal gets hacked, anyway.

Err, yep:
http://www.ibtimes.com/paypal-accou...er-uncovers-potential-security-breach-1735158

 

[mearls]

This is why I have started to use prepaid credit cards for online purchases. I just refill them when they get low.

Wow, that's a great idea. Stealing that one.

I went ahead and had new cards issued even though I didn't see anything fishy. It's not a given that a stolen number will see immediate use. If anything, the thieves might wait a bit and try to slip something past you when you aren't paying attention.

Edit: For the curious, I believe this was a man-in-the-middle attack. I received the second email, and I don't store payment info with any merchant including DTRPG.

 

[Umbran]

I went ahead and had new cards issued even though I didn't see anything fishy. It's not a given that a stolen number will see immediate use. If anything, the thieves might wait a bit and try to slip something past you when you aren't paying attention.

Normally, with data breaches, the ones who steal the data are not the ones who then use the data - that would make them much easier to catch. Your information typically gets bundled up and sold to another party or parties, who then uses it for fraud. There is typically some delay in this process, especially if they are doing something more sophisticated than just using your credit card without your permission.

 

[JeffB]

Hmm.. I didnt get the email. But I did not make any purchases since the 6th....though some downloads. I do store my info there though, IIRC.

 

[Queer Venger]

I never store my credit card anywhere, which is why I probably didn't get an email. This is why you use Paypal

 

[Talmek]

Luckily (after checking my order history) I was not affected by this as all of my purchases on the site over the time period were for 0.00, not requiring a payment method. However, I'm surprised that is all the company did after losing the information of X customers. Typically companies provide store credit, etc. or are required to pay for credit monitoring if proven that the breach could have been reasonably prevented (industry standard security protocols not followed and what have you). Additionally, many lending institutions pass on the costs of issuing new cards and the associated hassles to their customers/members. Depending on how large the breach was (obviously we are not talking about anything of the same magnitude as Target or Sony) this could be bad news for the company, rather than just bad press.

DTRPG was one of my favorite places to pick up PDFs and even though I wasn't affected it was only through dumb luck that I didn't happen to purchase anything recently, instead opting to pick items off my list from Amazon or while at GenCon.

 

[Plane Sailing]

Login passwords are stored encrypted with a one-way hash and cannot be decrypted.

Total horse manure.

With your PW hash, your random salt, and a rainbow table, your password can be brute forced by just about any marginally competent script kiddie. Distribute the brute force attempts over a bot net to parallel the process and greatly reduce time needed. Focus the effort away from joe schmoe random guy and match user table against orders table to find hi-frequency, medium spending individuals as primary targets and save a lot of trouble brute forcing accounts that probably aren't useful to begin with.

If you value your money and purchases at any site that has been compromised, ALWAYS change your credentials. Use passwords that are unique to any given site, don't reuse. Security 101.

You are not up to date on the current state of the art in cracking hashes.

1. Nobody uses rainbow tables any more. quicker to attempt to crack the hashes (using hashcat)
2. It isn't a simple thing for script kiddies to do - it takes some smarts to crack hashes
3. as long as people have used sensible hashing algorithms, and your password is long enough. Some hash algorithms which used to be popular are now badly broken. But there are modern hashing algorithms which make attempting to crack hashes much more difficult by making the hashes computationally expensive or memory expensive to crack - the latter being particularly important in the era of massive parallel graphics card based cracking, which crunches CPU really well.
4. If you've got a password which is 8 characters or less, you're toast. If your password is 12 characters of more and any decent kind of hashing today your pretty much safe today. If your password is 16 characters or more you're likely to be safe for at least the next 6 years. Sadly too many companies focus on silliness like upper and lower case, including numbers and special characters but don't allow the one thing that makes a really significant differnce which is length, length and length.

Mind you, I always recommend anyone to NOT store card details on third party sites if you can possibly avoid it. Best to be sure!

 

[jimmifett]

Sadly too many companies focus on silliness like upper and lower case, including numbers and special characters but don't allow the one thing that makes a really significant differnce which is length, length and length.

You are absolutely correct that a longer password is better, however, even with a pw as short as 8, having mixed case characters raises the possible unique combinations

a-z: ~1.5 million possibilities
a-zA-Z: ~750 million possibilities
a-zA-Z0-9: ~3.3 billion possibilities
a-zA-Z0-9 and 10 special characters: ~12 billion possibilities

Certainly not silly for even a basic attempt at added difficulty, but yes, a decent system could chew through 12 billion matches in a relatively short time, even less if distributed.

Naturally, longer is *significantly* better, with 16 chars:

a-z: ~5 million possibilities
a-zA-Z: ~10 trillion possibilities
a-zA-Z0-9: ~273 trillion possibilities
a-zA-Z0-9 and 10 special characters: ~4.1 quadrillion possibilities

Now we're talking some pretty darn big numbers! Unfortunately, bot nets numbering in thousands and 10s of thousands, can still chew through such a task in a moderate amount of time. Trim that number down with common values to catch lazy passwords easily and time drops significantly. Don't need to crack every pw, just the low hanging fruit.