Roll 20 Data Breach - Myth-Weavers


Roll 20 Data Breach

Roll 20 Data Breach

Hey folks, I know that some of you have occasionally tried to set up games over here and then will use Roll20 to run might want to rethink that policy going forward. I received the following E-Mail from Roll20's mods this morning, and it made me glad I am in the habit of using distinctly separate passwords and never post vital information out in the open.

Roll 20 EMail
Roll20 logo
Conclusion of 2018 Data Breach Investigation
In February of this year we became aware of information claiming to be from the Roll20 “accounts table” being placed for sale on a dark web marketplace for $208; an amount less than comparable data sets. We immediately announced this information to Roll20 users and the public. This data represented approximately four million users from the end of 2018, and contained the following data:

Name (both moniker and first/last as listed)
Email address
Last four digits of credit card
Most recent IP address
Salted password hashes (bcrypt)
Roll20 Gaming data (time played)
Upon becoming aware of this data sale, our legal team engaged Kroll, who proceeded to review available logs from our cloud environments, email and other internal company communication methods, as well as actively monitoring further access to those systems. As of this time, the investigation has concluded.

The investigation identified several possible vectors of attack that have since been remedied. Best practices at Roll20 for communications and credential cycling have been updated, with several code library updates completed and more in development. Additionally, all sessions were logged out of Roll20 as a precautionary measure at the time we became aware of the breach.

Any user that wishes to see an example of their compromised data can contact and request that of myself (Jeffrey Lamb). Be advised that it will merely be the personalized version of the information listed above, and that we will not be providing in-depth information on attack vectors, so as to not advise malicious actors as to our defenses.

Roll20 would advise users at this time that various data protection companies are making alerts, meaning it is likely that bad actors have purchased the data. We would always recommend regularly rotating passwords, as well as not sharing credentials between sites. Additional identity theft resources are also available via the Federal Trade Commission.

Frankly, this sucks.

But from the very beginning of our platform we were aware that we are an attractive hacking target, and have sought to mitigate the amount of data we hold in order to lessen the adverse effects of potential breaches. We will continue to build upon these efforts and implement ongoing new security practices to protect your information on Roll20.

- Jeffrey Lamb, Data Protection Officer

So, in conclusion; if you're a Roll20 user, be advised.

Thank you Erico for providing this news. Due to the topic it is impossible to discuss this without going into Worldly Talk territory, so this thread is being locked at this time. The post will be remaining as a public notice and is being moved to Announcements for visibility.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
User Alert System provided by Advanced User Tagging (Lite) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
Last Database Backup 2019-08-25 09:00:04am local time
Myth-Weavers Status