• NOW LIVE! -- One-Page Adventures for D&D 5th Edition on Kickstarter! A booklet of colourful one-page adventures for D&D 5th Edition ranging from levels 1-9 and designed for a single session of play.
log in or register to remove this ad


Change Your DTRPG Password Now!

DTRPG is under attack by hackers. They say they haven’t been compromised, but advise people to change their passwords as one of the attack vectors uses passwords obtained elsewhere to try to log in to your account, especially if the password you use there is used elsewhere too.

So to be safe, change your password.

To be clear — to my knowledge they haven’t been hacked. Nothing has been compromised. But somebody is attempting to do so, and they’re taking precautions.

They’ve also deactivated PayPal payouts temporarily while they work to secure things.

Hopefully it will all sort itself out soon! Announcement below.


On October 31, 2019, we reset the passwords for all customer accounts associated with publisher earnings, author/licensor royalties, or affiliate marketing earnings on our marketplaces: DriveThruRPG, DMs Guild, Wargame Vault, Storytellers Vault, Ulisses Ebooks, etc.

Our sites have been under attack from Russian hackers using thousands of networked, malware-infected devices. The hackers used a list of email addresses and passwords they acquired from other sites and proceeded to bombard our sites with those email+password combinations. When they found a match, where someone used a common password on our marketplace as well as whatever other site(s) the hackers had compromised, the hackers then accessed that account and looted the account’s balance to their own PayPal account.

We attempted other countermeasures first, but on October 31, we had to take a more comprehensive approach and reset every publisher, author, and affiliate account’s password. This action should ensure that the hackers stop getting any email+password matches from their database that might allow them to access more accounts.

If you are a publisher, creator, or affiliate partner, you will need to initiate a password reset the next time you visit our site so that you can create a new password.

  1. Go to DriveThruRPG, DMs Guild, or any of our sites and click Log In.
  2. On the Log-In prompt, select the “Forgot Password?” link to initiate a reset of your password.
  3. Follow the instructions to reset your password. Please make sure your new password is something unique to your OneBookShelf account, and make sure the password contains a long variety of characters.
To be clear, there is no evidence at all that our site was in any way hacked or compromised. The hackers are using login credentials stolen from other sites and testing them on our site.

We cannot recommend strongly enough the use of password managers to help you use unique, safe and secure passwords for every site you visit.
Last edited:

log in or register to remove this ad

Russ Morrissey

Russ Morrissey


Heh - neither my username nor my password there are used anywhere else. And everyone says that using a different throwaway e-mail address for every website I sign up for is being paranoid :)

But I went ahead and changed it anyway. Because they're probably right about the paranoid thing.


Ravenous Bugblatter Beast of Traal
Password reuse is a big deal (same as security question reuse).

As a bit of a rant, I dislike all the sites that think there's only one way to generate sufficient entropy - hard minimums on upper, lower, numbers, and symbols. Especially when they compound it by requiring frequent chances and prohibit reuse. It makes it harder to memorize unique passwords per site, which means that you either need to use a password manager (which can be hacked itself or you can lose access to), or you take an easier route and don't have unique passwords everywhere - which is much worse.


I dislike all the sites that think there's only one way to generate sufficient entropy - hard minimums on upper, lower, numbers, and symbols.

I like sites that allow me to have very long passwords and give me soft minimums on all of those things.

I still stumble across sites that have password lengths of 8-12 characters and won't let you put in anything longer. Those are sites that I don't use if I don't have to and if I must use them don't get my credit card number or, if I can help it, my actual e-mail address. (And by "don't get my credit card number" I mean "I'm not even typing my number into your crappy webform because who the hell knows what your code is doing on the back end" - I'm too paranoid to let my credit card number be stored anywhere these days - I'd rather retype it every single time than worry about whether or not some company is actually spending money on data security these days. And even typing it in every time is no guarantee that the folks who coded the back end are actually doing the right thing. )


It was inside my account at DTRPG. I don’t know if there’s one you can view from outside it. But it just says what that says up there.

Thanks. Interesting. My account shows no such message. Maybe because I'm no publisher, creator, or affiliate partner.


"If you are a publisher, creator, or affiliate partner"

Not being any of those, I don't have a lootable balance on DTRPG.


It looks like they're forcing password changes across the board - I got e-mail last night that my password had been reset and I needed to hit the "forgot password" link on any of the affiliated sites to retrieve the new one.

Visit Our Sponsor

An Advertisement