Change Your DTRPG Password Now!

DTRPG is under attack by hackers. They say they haven’t been compromised, but advise people to change their passwords as one of the attack vectors uses passwords obtained elsewhere to try to log in to your account, especially if the password you use there is used elsewhere too.

So to be safe, change your password.

To be clear — to my knowledge they haven’t been hacked. Nothing has been compromised. But somebody is attempting to do so, and they’re taking precautions.

They’ve also deactivated PayPal payouts temporarily while they work to secure things.

Hopefully it will all sort itself out soon! Announcement below.

On October 31, 2019, we reset the passwords for all customer accounts associated with publisher earnings, author/licensor royalties, or affiliate marketing earnings on our marketplaces: DriveThruRPG, DMs Guild, Wargame Vault, Storytellers Vault, Ulisses Ebooks, etc.

Our sites have been under attack from Russian hackers using thousands of networked, malware-infected devices. The hackers used a list of email addresses and passwords they acquired from other sites and proceeded to bombard our sites with those email+password combinations. When they found a match, where someone used a common password on our marketplace as well as whatever other site(s) the hackers had compromised, the hackers then accessed that account and looted the account’s balance to their own PayPal account.

We attempted other countermeasures first, but on October 31, we had to take a more comprehensive approach and reset every publisher, author, and affiliate account’s password. This action should ensure that the hackers stop getting any email+password matches from their database that might allow them to access more accounts.

If you are a publisher, creator, or affiliate partner, you will need to initiate a password reset the next time you visit our site so that you can create a new password.

1. Go to DriveThruRPG, DMs Guild, or any of our sites and click Log In.
2. On the Log-In prompt, select the “Forgot Password?” link to initiate a reset of your password.
3. Follow the instructions to reset your password. Please make sure your new password is something unique to your OneBookShelf account, and make sure the password contains a long variety of characters.

To be clear, there is no evidence at all that our site was in any way hacked or compromised. The hackers are using login credentials stolen from other sites and testing them on our site.

We cannot recommend strongly enough the use of password managers to help you use unique, safe and secure passwords for every site you visit.

 

[Jer]

Heh - neither my username nor my password there are used anywhere else. And everyone says that using a different throwaway e-mail address for every website I sign up for is being paranoid

But I went ahead and changed it anyway. Because they're probably right about the paranoid thing.

 

[Blue]

Password reuse is a big deal (same as security question reuse).

As a bit of a rant, I dislike all the sites that think there's only one way to generate sufficient entropy - hard minimums on upper, lower, numbers, and symbols. Especially when they compound it by requiring frequent chances and prohibit reuse. It makes it harder to memorize unique passwords per site, which means that you either need to use a password manager (which can be hacked itself or you can lose access to), or you take an easier route and don't have unique passwords everywhere - which is much worse.

 

[RSIxidor]

Do they have a press release out about this?

 

[Umbran]

Thanks for the warning. The password I use there is unique to that site, thankfully.

 

[Ulfgeir]

Thanx for the warning. Will have to check once I get home, as I don't remember what password I used...

 

[Ralif Redhammer]

Done. Thanks for the heads-up. My wife got her information hacked a few years back, and that was a headache that took forever to resolve.

 

[Jer]

I dislike all the sites that think there's only one way to generate sufficient entropy - hard minimums on upper, lower, numbers, and symbols.

I like sites that allow me to have very long passwords and give me soft minimums on all of those things.

I still stumble across sites that have password lengths of 8-12 characters and won't let you put in anything longer. Those are sites that I don't use if I don't have to and if I must use them don't get my credit card number or, if I can help it, my actual e-mail address. (And by "don't get my credit card number" I mean "I'm not even typing my number into your crappy webform because who the hell knows what your code is doing on the back end" - I'm too paranoid to let my credit card number be stored anywhere these days - I'd rather retype it every single time than worry about whether or not some company is actually spending money on data security these days. And even typing it in every time is no guarantee that the folks who coded the back end are actually doing the right thing. )

 

[Count_Zero]

Got my password changed - I'd been meaning to do that for a while, so now is as good a time as any.

 

[Morrus]

Do they have a press release out about this?

Dunno. There’s a notice on the screen in my account there, and I’ve seen a bunch of people talk about it around the web.