Change Your DTRPG Password Now!

DTRPG is under attack by hackers. They say they haven’t been compromised, but advise people to change their passwords as one of the attack vectors uses passwords obtained elsewhere to try to log in to your account, especially if the password you use there is used elsewhere too.

So to be safe, change your password.

To be clear — to my knowledge they haven’t been hacked. Nothing has been compromised. But somebody is attempting to do so, and they’re taking precautions.

They’ve also deactivated PayPal payouts temporarily while they work to secure things.

Hopefully it will all sort itself out soon! Announcement below.

2F54892D-AAE6-43F1-AAB1-1B59F18A6D68.png


On October 31, 2019, we reset the passwords for all customer accounts associated with publisher earnings, author/licensor royalties, or affiliate marketing earnings on our marketplaces: DriveThruRPG, DMs Guild, Wargame Vault, Storytellers Vault, Ulisses Ebooks, etc.

Our sites have been under attack from Russian hackers using thousands of networked, malware-infected devices. The hackers used a list of email addresses and passwords they acquired from other sites and proceeded to bombard our sites with those email+password combinations. When they found a match, where someone used a common password on our marketplace as well as whatever other site(s) the hackers had compromised, the hackers then accessed that account and looted the account’s balance to their own PayPal account.

We attempted other countermeasures first, but on October 31, we had to take a more comprehensive approach and reset every publisher, author, and affiliate account’s password. This action should ensure that the hackers stop getting any email+password matches from their database that might allow them to access more accounts.

If you are a publisher, creator, or affiliate partner, you will need to initiate a password reset the next time you visit our site so that you can create a new password.

  1. Go to DriveThruRPG, DMs Guild, or any of our sites and click Log In.
  2. On the Log-In prompt, select the “Forgot Password?” link to initiate a reset of your password.
  3. Follow the instructions to reset your password. Please make sure your new password is something unique to your OneBookShelf account, and make sure the password contains a long variety of characters.
To be clear, there is no evidence at all that our site was in any way hacked or compromised. The hackers are using login credentials stolen from other sites and testing them on our site.

We cannot recommend strongly enough the use of password managers to help you use unique, safe and secure passwords for every site you visit.
 
Last edited:
Russ Morrissey

Comments

Jer

Adventurer
Heh - neither my username nor my password there are used anywhere else. And everyone says that using a different throwaway e-mail address for every website I sign up for is being paranoid :)

But I went ahead and changed it anyway. Because they're probably right about the paranoid thing.
 

Blue

Orcus on a bad hair day
Password reuse is a big deal (same as security question reuse).

As a bit of a rant, I dislike all the sites that think there's only one way to generate sufficient entropy - hard minimums on upper, lower, numbers, and symbols. Especially when they compound it by requiring frequent chances and prohibit reuse. It makes it harder to memorize unique passwords per site, which means that you either need to use a password manager (which can be hacked itself or you can lose access to), or you take an easier route and don't have unique passwords everywhere - which is much worse.
 

Ulfgeir

Explorer
Thanx for the warning. Will have to check once I get home, as I don't remember what password I used...
 

Ralif Redhammer

Adventurer
Done. Thanks for the heads-up. My wife got her information hacked a few years back, and that was a headache that took forever to resolve.
 

Jer

Adventurer
I dislike all the sites that think there's only one way to generate sufficient entropy - hard minimums on upper, lower, numbers, and symbols.

I like sites that allow me to have very long passwords and give me soft minimums on all of those things.

I still stumble across sites that have password lengths of 8-12 characters and won't let you put in anything longer. Those are sites that I don't use if I don't have to and if I must use them don't get my credit card number or, if I can help it, my actual e-mail address. (And by "don't get my credit card number" I mean "I'm not even typing my number into your crappy webform because who the hell knows what your code is doing on the back end" - I'm too paranoid to let my credit card number be stored anywhere these days - I'd rather retype it every single time than worry about whether or not some company is actually spending money on data security these days. And even typing it in every time is no guarantee that the folks who coded the back end are actually doing the right thing. )
 

Morrus

Well, that was fun
Staff member
Just to be clear — they haven’t been hacked. Somebody is trying to, and they’re taking the necessary precautions.
 

Sacrosanct

Legend
Hmmm...well, the entire site was in Spanish for me. That made things interesting. But I did manage to get my password changed
 

stadi

Villager
Using 2FA would solve this problem. It's not hard to implement it and it makes a huge difference in security.
 

Morrus

Well, that was fun
Staff member
@Morrus could you provide a link to the announcement please? I don't see a news section on their homepage.
It was inside my account at DTRPG. I don’t know if there’s one you can view from outside it. But it just says what that says up there.
 

stadi

Villager
It was inside my account at DTRPG. I don’t know if there’s one you can view from outside it. But it just says what that says up there.
Thanks. Interesting. My account shows no such message. Maybe because I'm no publisher, creator, or affiliate partner.
 

S'mon

Legend
"If you are a publisher, creator, or affiliate partner"

Not being any of those, I don't have a lootable balance on DTRPG.
 

drl2

Explorer
It looks like they're forcing password changes across the board - I got e-mail last night that my password had been reset and I needed to hit the "forgot password" link on any of the affiliated sites to retrieve the new one.
 

In Our Store!

Advertisement

Advertisement

Top