Roll20's 4M Accounts Hacked

The leading virtual tabletop, with over 4 million accounts, has been hacked. Roll20 was one of many victims in a major hack back in December 2018. No financial details were included.

The leading virtual tabletop, with over 4 million accounts, has been hacked. Roll20 was one of many victims in a major hack back in December 2018. No financial details were included.


roll20.jpg

Here is there current statement:

"Earlier today (2/14), Roll20 was named in a report as one of several victims of an attack by cybercriminals. While we can confirm a breach did occur, we are currently focused on finding out all the facts. For now, it’s important to note the report makes clear that no financial data was included in the breach. Our security teams work tirelessly to fix potential weaknesses in our systems, and we take seriously our responsibility to safeguard our users’ personal information.

Here’s how we do that:

  • Roll20 only maintains the following personal information: users’ name, email address, hashed password, last login IP and time of login, and the last 4 credit card digits.
  • We use Stripe and PayPal to process transactions; all billing information is handled by them and never touches our servers.
  • We utilize bcrypt for password hashing, which means that it cannot be reverse-engineered for utilization with other sites or to access Roll20.
We know it’s frustrating to not have all the facts, and we’re working to uncover the full extent of this breach. We will be continuously updating our members with information as our investigation continues.

UPDATE 2/15 2:45 PM PT: Based off the account numbers from breached data, we've determined this took place on approximately December 26th.The data size (~700MB) is consistent with being our "account object," which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset.We are continuing to work internally and with outside investigators to determine the methodology of breach, while also fulfilling GDPR requirements and notifying appropriate law enforcement.Expect more details early next week"

Getting hacked is commonplace these days (you may recall this site was hacked a few years back), what's surprising is that Roll20 has 4 MILLION accounts. That certainly speaks to the growth of our hobby.
 
Click to expand...

log in or register to remove this ad

Morrus

Morrus is the owner of EN World and EN Publishing, creator of the ENnies, creator of the What's OLD is NEW (WOIN), Simply6, and Awfully Cheerful Engine game systems, publisher of Level Up: Advanced 5th Edition, and co-host of the weekly Morrus' Unofficial Tabletop RPG Talk podcast. He has been a game publisher and RPG community administrator for over 20 years, and has been reporting on TTRPG and D&D news for over two decades. He is also on the socials.

log in or register to remove this ad


K

kittenhugs

Explorer
The information of 4 million users being breached isn't cause for celebration, it means that Roll20 has (or had I guess, if you want to give them the benefit of the doubt) paltry security that hasn't had the resources put into it that it should for the size of its userbase. This article is an awful take.
 

D

Dualazi

First Post
Yeah, got to echo some of the other sentiments here that the account numbers are not cause for celebration. It's pretty embarrassing how lax every company seems to take security, but given that they rarely seem to be harmed by it I can't say that I'm too surprised.
 

K

Koloth

First Post
A quick security test for your non-email accounts - if they require the use of email address as your account name, they aren't taking security serious. Fairly easy process for bad folk to take the list of 4 million accounts stolen from Roll20 and run the email addresses against other sites that mandate email address as account name. All they have to do is try each stolen address with the top 10 or so passwords off the most common used passwords list and they are very likely to have many successes. Not good for cracking a specific account but good for getting general access to a system.

What can you do?
1. Don't use passwords that show up on the top 100 most commonly used passwords list.
2. Use more then 8 characters for your password.
3. Ask sites that currently require account name = email address to change.
 




G

Greenstone.Walker

Adventurer
Koloth said:
What can you do?
1. Don't use passwords that show up on the top 100 most commonly used passwords list.
2. Use more then 8 characters for your password.
3. Ask sites that currently require account name = email address to change.
Click to expand...

QFT.

Also:
4. DO NOT REUSE PASSWORDS!
If an attacker gets mickey@disney.com, password abc123, from a hack of roll20.net then they will try that same username and password on Ebay, PayPal, Yahoo, MSN, .......

5. Do not store any of your credit card details online.
It's a hassle having to type it in each time, but that hassle is worth it to stop identity theft.
 

R

Ratskinner

Adventurer
Henry said:
I can’t speak to other countries, but I can confidently say that, if you live in the United States, some of your personally identifiable information (PII) has been released through a breach at least once in your lifetime, no matter how old you are. At the very least, multiple branches of the U.S. Government have been breached, exposing you, your wife/husband/S.O., and your children’s PII in some fashion.

No, it’s not right that it happens; no, it shouldn’t happen with the alarming frequency that it does; but everyone needs to be aware that it does, with that kind of frequency, every day of our lives. Just one breach of Yahoo! In 2016 exposed one BILLION client records of the company. The nonchalance that some people exhibit simply comes from having something that should be shocking occur incessantly.
Click to expand...

Can't say I disagree, but honestly we've gotten numb to so many things that are so much more horrible that data breaches...kinda makes you wonder about our species sometimes.
 

Similar Threads

Morrus
The Rise And Fall Of Evil Genius Games
32 33 34 35 36
Replies
357
Views
100K
Wofano Wotanto
W
Abstruse
News Digest for August 4, 2023
Replies
7
Views
7K
Abstruse
Abstruse
Abstruse
News Digest for August 11, 2023
2
Replies
10
Views
7K
sevenbastard
S
Abstruse
News Digest for the Week of December 16
Replies
6
Views
4K
Eyes of Nine
Eyes of Nine
talien
RPG Evolution: This Sounds Familiar
2
Replies
13
Views
6K
Ramicus
R

Related Articles

Remove ads

Remove ads

Top