NuTSR Financial Data Breach

The ongoing saga of “TSR3” continues as Justin LaNasa, owner of “TSR LLC”, allegedly stores and has emailed to others a spreadsheet containing customer financial information stored without any form of encoding or encryption.

tsr3.jpg

In a video released by Don Semora of Wizard Tower Games, Semora claims Justin LaNasa emailed him a spreadsheet in May 2022 that included financial information from customers and business partners including full names, email addresses, home addresses, phone numbers, and even credit card numbers, all stored in plain text with no encoding or encryption. This includes customers of TSR or Dungeon Hobby Shop’s webstores purchasing products including Cult of Abaddon, Dungeon Crawl: The Board Game, TSR Dice, and others.


Screenshots of the spreadsheet (with private information redacted) show up in the video starting at the nine minute mark.

Wizard Tower Games also commented in the EN World thread “The Full & Glorious History of NuTSR” offering to confirm if anyone’s personal information was part of the spreadsheet he received. According to David Flor, transactions with the companies are processed under the name “Port City Kava”, an oxygen bar and vape/ecig store run by Justin LaNasa in North Carolina.

For those unfamiliar with the Saga of the TSR Trademark, EN World has a timeline of events with links to more information going back to the start in June of 2021 and, at the time of writing, updated through July 22, 2022.

The video from Semora is the most recent entry in a back-and-forth between himself and LaNasa following a Twitter post from Wizard Tower Games on August 29 confirming the company received two subpoenas related to the lawsuit with Wizards of the Coast. Michael K. Hovermale, former employee of TSR LLC, confirmed he also received a subpoena related to the lawsuit and confirmed in a post on EN World that he retained all information from his time working for LaNasa and informed LaNasa of this in June of 2022. In a video titled “OPEN LETTER LANASA” posted on September 1, Don Semora says he received a text message from LaNasa accusing Semora and Hovermale of “photoshopping documents”. The video consists of Semora posting screenshots of documents he claims were sent to him from LaNasa. In response, LaNasa claimed the documents in the video were Photoshopped by posting his own screenshots and calling Semora a "liar" on social media including in the title of a channel on the TSR Discord server, according to a screenshot from the private server posted by Kim Wincen. Semora responded with the video posted earlier today containing the spreadsheet along with other screenshots.

The trial between TSR LLC, the Dungeon Hobby Shop Museum LLC, and Justin LaNasa v. Wizards of the Coast is scheduled for a jury trial in October 2023.
 

log in or register to remove this ad

Darryl Mott

Darryl Mott

I thought I read in one of the complaints that he believed that when WotC put Star Frontiers for sale on DMs guild, they had somehow inadvertently confirmed that TSR (which in his mind is the same company he owns) was the actual owner of Star Frontiers, and the he/TSR is therefor actively selling Star Frontiers without contest from WotC.
I hate to give these guys credit for anything, but I have to believe that even LaNasa knows that 'naming my company the same name as this former company' =/= 'is the old company.' If he made that argument, I assume that that was part of the grift, not something he actually believed.
 

log in or register to remove this ad

Abstruse

Legend
I hate to give these guys credit for anything, but I have to believe that even LaNasa knows that 'naming my company the same name as this former company' =/= 'is the old company.' If he made that argument, I assume that that was part of the grift, not something he actually believed.
It was a core part of his marketing for quite a while. He heavily implied if not straight up stated that his TSR was the original TSR in multiple social media posts, product announcements, etc. The one I remember most vividly was when he was banned from Gen Con claiming that his "TSR" founded the convention. Which wasn't even true for the original Gen Con - it existed for several years before TSR existed. The first Gen Con was in 1968 even before the release of Chainmail while the Lake Geneva Tactical Studies Association was founded as a club in 1970, and TSR was registered as a company in 1973.

But in LaNasa's eyes, "We have a Gygax working for us" means he's the inheritor of the TSR legacy.

It's also a big part of Wizards of the Coast's counter-suit. Since he claimed multiple times his TSR LLC was the same as TSR Inc founded by Gary Gygax and Don Kaye in 1973 (the latter of which Wizards of the Coast purchased in 1997), their counter-claim goes beyond just ownership of the trademark and into actual trademark infringement since it shows an intent to deceive customers.
 

It was a core part of his marketing for quite a while. He heavily implied if not straight up stated that his TSR was the original TSR in multiple social media posts, product announcements, etc. The one I remember most vividly was when he was banned from Gen Con claiming that his "TSR" founded the convention. Which wasn't even true for the original Gen Con - it existed for several years before TSR existed. The first Gen Con was in 1968 even before the release of Chainmail while the Lake Geneva Tactical Studies Association was founded as a club in 1970, and TSR was registered as a company in 1973.

But in LaNasa's eyes, "We have a Gygax working for us" means he's the inheritor of the TSR legacy.

It's also a big part of Wizards of the Coast's counter-suit. Since he claimed multiple times his TSR LLC was the same as TSR Inc founded by Gary Gygax and Don Kaye in 1973 (the latter of which Wizards of the Coast purchased in 1997), their counter-claim goes beyond just ownership of the trademark and into actual trademark infringement since it shows an intent to deceive customers.
We're not disagreeing on the substantive facts or statements. I am saying I doubt he really believes it, so much as it is part of the grift.
 

I am saying I doubt he really believes it, so much as it is part of the grift.

There have been many times over the course of the past year when I have had trouble separating what NuTSR believes, and what is the scam. It's a little bit easier now that it's just Lanasa speaking for them. OTOH, it also seems like Lanasa occasionally repeats lies so much that he forgets what the original truth was.
 

Shakeshift

Adventurer
There have been many times over the course of the past year when I have had trouble separating what NuTSR believes, and what is the scam. It's a little bit easier now that it's just Lanasa speaking for them. OTOH, it also seems like Lanasa occasionally repeats lies so much that he forgets what the original truth was.
Whenever you see Justin Lanasa talking about TSR, you can tell he really believes that he is the incarnation of the original TSR, with everything that they did and accomplished as part of HIS legacy as the new owner.

Never minding the fact that all he did was pick up an abandoned trademark for $250 and squatted on it. In Lanasa's mind, he's co-owner along with Gary Gygax. Completely delusional seeing as how his TSR ownership is a mere technicality and about to be taken away from him by force by Wizards of the Coast in a court of law. Once the court ruling happens, it's OFFICIAL that he was never the copyright holder, a simple fact I think many people will be happy to rub in Justin's face.
 
Last edited:

TarionzCousin

Second Most Angelic Devil Ever
NuTSR is kind of like some bizarre variant hydra with the following traits:

Shoot Foot. As a bonus action, the NuTSR hydra can shoot one of its own feet.

Multiple Feet. The NuTSR hydra has multiple feet. Each turn it needs to roll an Integrity saving throw to avoid tripping over its own feet, landing prone on a failure. If the NuTSR hydra has any active sock puppets (see below), this saving throw is at disadvantage.

Regrow Feet. At the end of its turn, it grows two feet for each foot that was shot off since its last turn. If the NuTSR hydra is subjected to the social media silence spell, this trait does not function.

Sock Puppet. As an action, the NuTSR hydra can create a sock puppet for each active foot that it has.
Or a variant of this Greek monster: Hecatoncheires - Wikipedia
 

Michael Linke

Adventurer
There have been many times over the course of the past year when I have had trouble separating what NuTSR believes, and what is the scam. It's a little bit easier now that it's just Lanasa speaking for them. OTOH, it also seems like Lanasa occasionally repeats lies so much that he forgets what the original truth was.
I mean no malice toward tattoo artists, weapons designers, politicians or spiritualists, law enforcement or anyone else, but this dude is a current tattoo artists, former federal law enforcement officer, former weapons designer, former statewide political candidate, who owns an oxygen bar and a fake D&D museum and claims on his website to have like… invented? Discovered? Something called “yin-xie-yang” which is basically some new age word salad with some questionable stuff tossed in about traditional gender identity,

I 100% believe that this guy 100% believes that he’s entitled to the streaming proceeds of House of the Dragon, How to Train your Dragon, and will try to slap you with a cease and desist if he feels your remodeled basement is at all Dungeon-like. To put it short, I think he really believes what he’s saying, and really believes that the whole world is against him, and it’s sad to watch.
 
Last edited:


lingual

Adventurer
How would they even have gotten the actual credit card numbers stored?

I would think they used some off-the-shelf e-commerce platform and those - by default - would not actually store whole credit card numbers. At least - that would be such an egregious practice, that any consultant they hired would probably have to go out of their way (ie. explicitly program) and storage of numbers. Something like Shopify would not store credit card numbers by default.

Assuming they did that - someone would have to actually query a database to export the data into a spreadsheet. Again, some consultant could have scripted a simple script or interface for Lanasa to do it himself.


After all that - Lanasa would have to have the modicum of intelligence to operate a computer at some level.

I would just hazard a guess here and say the storage was done purposefully and explicitly because that's just how Lanasa rolls. It would be no surprise at all if he intended to profit off the information some how.
 

If TSR were a mythical creature it would be a Bonnacon, an obscure creature from medieval bestiaries that's like a bull except that its horns are curled back to be useless, so it attacks its enemies with caustic projectile feces. Everything touched by its feces burns.

Bonnacon.jpg
That is certainly the facial expression I'd expect to see on a creature with caustic projectile faeces. And on a knight being on the receiving end of aforesaid weapon.
 

Abstruse

Legend
How would they even have gotten the actual credit card numbers stored?

I would think they used some off-the-shelf e-commerce platform and those - by default - would not actually store whole credit card numbers. At least - that would be such an egregious practice, that any consultant they hired would probably have to go out of their way (ie. explicitly program) and storage of numbers. Something like Shopify would not store credit card numbers by default.

Assuming they did that - someone would have to actually query a database to export the data into a spreadsheet. Again, some consultant could have scripted a simple script or interface for Lanasa to do it himself.


After all that - Lanasa would have to have the modicum of intelligence to operate a computer at some level.

I would just hazard a guess here and say the storage was done purposefully and explicitly because that's just how Lanasa rolls. It would be no surprise at all if he intended to profit off the information some how.
I have no idea, but one possible explanation: The "webstore" isn't a normal webstore but just a submission form. They'd then run the credit cards manually through their point of sale system. It would be a cheaper way to do things since it would require not giving extra money to a third party processor or leasing a turnkey webstore solution. It's also insecure to the point of being possibly criminal. Again, I'm not saying this is what happened or that there's any evidence that this is what happened, just one possible explanation.
 

Michael Linke

Adventurer
How would they even have gotten the actual credit card numbers stored?

I would think they used some off-the-shelf e-commerce platform and those - by default - would not actually store whole credit card numbers. At least - that would be such an egregious practice, that any consultant they hired would probably have to go out of their way (ie. explicitly program) and storage of numbers. Something like Shopify would not store credit card numbers by default.

Assuming they did that - someone would have to actually query a database to export the data into a spreadsheet. Again, some consultant could have scripted a simple script or interface for Lanasa to do it himself.


After all that - Lanasa would have to have the modicum of intelligence to operate a computer at some level.

I would just hazard a guess here and say the storage was done purposefully and explicitly because that's just how Lanasa rolls. It would be no surprise at all if he intended to profit off the information some how.
I’ve seen off the shelf (open source) e-commerce platforms store credit card numbers, albeit in an encrypted state. We implemented changes to one so that we could use it without storing those numbers for PCI reasons.

It’s possible his software stores these numbers as encrypted values, and he exported them as unencrypted plain text for some reason. It’s also possible he harvested these numbers in person from people who payed by card at one of his businesses.

It wasn’t always the case that PCI didn’t permit for business to store credit card numbers. Older versions of the PCI-DSS standard allowed encrypted storage. He may just be using an ecommerce platform that was compliant at the time it was implemented.

Elsewhere, I commented out of a vivid memory of IMPLEMENTING PCI compliance at an already established business, but digging more, I think the issue there is that we were already compliant, but were implementing changes to adapt to a newer version of the standard, particularly the change from stored-encrypted to not-stored-at-all.

In digging through older PCI documentation, I even found stuff suggesting that smaller business, at least at one point, had less strict requirements. It’s possible LaNasa has these CC details while to the best of his understanding being minimally compliant with whatever version of PCI-DSS was relevant to him at the time he set up his electronic payments platform. It’s also just as possible the rules got more strict since then, and his business was small enough that he flew under the radar regarding compliance audits and external data breaches.

In any case, SHARING those details was still unambiguously wrong.
 
Last edited:

I would think they used some off-the-shelf e-commerce platform
Ha, there you go again, thinking!
any consultant they hired
Ha Ha! Yea, like Justin is going to pay someone to tell him what he doesn't need to know?

I mean this in the kindest way, bless your heart! but are you smoking crack? </silliness>

Think Justin would spend any money that he doesn't see a direct benefit from? The cheapest and easiest solution for running his businesses are certainly the choices e is going to make. imo, don't assign to intelligence or thought that which can be explained by ignorance and laziness.
 

Mannahnin

Scion of Murgen (He/Him)
I have no idea, but one possible explanation: The "webstore" isn't a normal webstore but just a submission form. They'd then run the credit cards manually through their point of sale system. It would be a cheaper way to do things since it would require not giving extra money to a third party processor or leasing a turnkey webstore solution. It's also insecure to the point of being possibly criminal. Again, I'm not saying this is what happened or that there's any evidence that this is what happened, just one possible explanation.
This is exactly what I assumed was going on when I saw the spreadsheet. I'm not in electronic payment processing/merchant acquiring anymore, and was never a technical expert even in the years I worked in that field, but this is definitely what it looks like to me.

If they were actually using a proper merchant acquirer/payment gateway on their website, they'd never even see those numbers. Last four digits of the card at most.
 

lingual

Adventurer
This is exactly what I assumed was going on when I saw the spreadsheet. I'm not in electronic payment processing/merchant acquiring anymore, and was never a technical expert even in the years I worked in that field, but this is definitely what it looks like to me.

If they were actually using a proper merchant acquirer/payment gateway on their website, they'd never even see those numbers. Last four digits of the card at most.
I played around with their site. Looks like they use a real service. Actually declined a fake card number!
 




Related Articles

Visit Our Sponsor

An Advertisement

Advertisement4

Top