Roll20 Hacked. 4 million records at risk
Last night the tech press reported that a notorious hacker had struck again, claiming another 127 million accounts and records of exposed data for their trophy belt.

Virtual tabletop site Roll20 is in the list of victims, and Roll20 have now confirmed they have had a security breach.

The hacker is claiming to have 4 million records from Roll20. The hacker seems to use the words ‘records’ and ‘accounts’ differently.

Roll20 have officially responded via their forums. They stress that no financial information is at risk and that all passwords are encrypted.
Earlier today, Roll20 was named in a report as one of several victims of an attack by malicious cybercriminals. We are currently working diligently to investigate the veracity of those claims.

Our security teams work tirelessly to monitor, identify and fix potential weaknesses in our systems to prevent any attacks, and we take seriously our responsibility to safeguard our users’ personal information. Accordingly, Roll20 only maintains users’ name, email address, hashed password, last login IP and time of login, and the last 4 digits of users’ credit card. We use Stripe and PayPal to process transactions; all billing information is handled by them and never touched our servers. For password hashing we utilize bcrypt, which means that it cannot be reverse-engineered for utilization with other sites or to access Roll20.
We work hard to ensure data breaches don’t happen, and we always plan ahead for worst-case scenarios. That’s why we maintain strict limits on the amount of personal information available for exposure in such a breach.
We will be continuously updating our members with information as we receive it.
UPDATE 3:38PM PT: To remove any possible session cookies, we’ve logged everyone out of the site as a security precaution as we continue to investigate.

We have confirmed a possible time-frame from this data based on the number of accounts the cybercriminal states they accessed and we are still researching methodologies of access.

UPDATE 2/15 2:45 PM PT: Based off the account numbers from breached data, we’ve determined this took place on approximately December 26th. The data size (~700MB) is consistent with being our “account object,” which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset.

We are continuing to work internally and with outside investigators to determine the methodology of breach, while also fulfilling GDPR requirements and notifying appropriate law enforcement. Expect more details early next week.

As of yet, Roll20 has not sent out e-mails to its users, nor actively notified them beyond posting the blog.

While your passwords should be secure, it is a good idea to change them right now.

log in or register to remove this ad

Level Up!

An Advertisement