User information from over 4 million users of Roll20 was recently posted to a dark web marketplace, the result of an apparent hack of the service’s databases.
TechCrunch reported that Roll20 was one of eight services to have user information posted online, the result of an apparent security breach. The hacker reportedly responsible for the breach previously obtained user information from 620 million users from 16 websites last year. No financial information was obtained from the alleged Roll20 breach.
If there is a bright spot to this story it’s the way Roll 20 handles data
Roll20 only maintains the following personal information:
- Users’ name, email address, hashed password, last login IP and time of login, and the last 4 credit card digits.
- We use Stripe and PayPal to process transactions; all billing information is handled by them and never touches our servers.
- We utilize bcrypt for password hashing, which means that it cannot be reverse-engineered for utilization with other sites or to access Roll20.
You more than likely have gotten an email from Roll 20 about this hack.
On February 14, we learned that an unauthorized party had illegally gained access to Roll20 account information and we issued a site-wide alert to our users. We take our responsibility to safeguard our users’ personal information seriously and have duly commenced an investigation.
We have determined that the attack took place on approximately December 26, 2018 and affected four million user accounts. The precautions we take to keep your information secure mean that only the following data could be accessed: users’ names, emails, last four numbers of credit card, and passwords that have been securely salted and hashed with bcrypt so they cannot be reverse-engineered or exposed.
This illegal breach did NOT access financial data. Roll20 processes transactions and data through secure third party platforms such as Stripe and PayPal. Our servers do not store or even touch your financial data directly.
They also said
As soon as Roll20 could confirm the data for sale was account information, we logged all users out of the site as a security precaution. This interrupted games in play for about one minute and removed any session cookies.
We continue to investigate the nature and scale of the illegal access and will continue to inform our users. We are working on appropriate notifications of law enforcement and responsibilities under GDPR.
And they offered the suggestions for what to do next
Recommended Safety Measures
While your Roll20 password has been securely encrypted, it is never a bad idea to change it regularly! We will not be forcing a password change on all users, but we do recommend you log in to access “My Account” and select a new password. If you were using the same email address and password on other websites, we advise you to update your information there also!We also recommend you take extra caution against any unsolicited emails, especially those that request personal information and include links or downloadable attachments. Roll20 will never send emails asking for your log-in or financial information, nor will we send a link asking you to log-in (this is a common technique for phishing emails).
So, what do you think of this breach? I guess it’s a good thing that no financial information was acquired, but still, this is not good and does not look good for them.
Recent Comments