The leading virtual tabletop, with over 4 million accounts, has been hacked. Roll20 was one of many victims in a major hack back in December 2018. No financial details were included.
Here is there current statement:
"Earlier today (2/14), Roll20 was named in a report as one of several victims of an attack by cybercriminals. While we can confirm a breach did occur, we are currently focused on finding out all the facts. For now, it’s important to note the report makes clear that no financial data was included in the breach. Our security teams work tirelessly to fix potential weaknesses in our systems, and we take seriously our responsibility to safeguard our users’ personal information.
Here’s how we do that:
UPDATE 2/15 2:45 PM PT: Based off the account numbers from breached data, we've determined this took place on approximately December 26th.The data size (~700MB) is consistent with being our "account object," which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset.We are continuing to work internally and with outside investigators to determine the methodology of breach, while also fulfilling GDPR requirements and notifying appropriate law enforcement.Expect more details early next week"
Getting hacked is commonplace these days (you may recall this site was hacked a few years back), what's surprising is that Roll20 has 4 MILLION accounts. That certainly speaks to the growth of our hobby.
Here is there current statement:
"Earlier today (2/14), Roll20 was named in a report as one of several victims of an attack by cybercriminals. While we can confirm a breach did occur, we are currently focused on finding out all the facts. For now, it’s important to note the report makes clear that no financial data was included in the breach. Our security teams work tirelessly to fix potential weaknesses in our systems, and we take seriously our responsibility to safeguard our users’ personal information.
Here’s how we do that:
- Roll20 only maintains the following personal information: users’ name, email address, hashed password, last login IP and time of login, and the last 4 credit card digits.
- We use Stripe and PayPal to process transactions; all billing information is handled by them and never touches our servers.
- We utilize bcrypt for password hashing, which means that it cannot be reverse-engineered for utilization with other sites or to access Roll20.
UPDATE 2/15 2:45 PM PT: Based off the account numbers from breached data, we've determined this took place on approximately December 26th.The data size (~700MB) is consistent with being our "account object," which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset.We are continuing to work internally and with outside investigators to determine the methodology of breach, while also fulfilling GDPR requirements and notifying appropriate law enforcement.Expect more details early next week"
Getting hacked is commonplace these days (you may recall this site was hacked a few years back), what's surprising is that Roll20 has 4 MILLION accounts. That certainly speaks to the growth of our hobby.