Roll20. the popular digital playground to run your RPG sessions was unfortunately hacked – but all is not lost! But you might want to update your account password.
The virtual tabletop and amazing tool set site Roll20 suffered a security breach late last year. Frankly, that sucks. As a fan of that site and tools they have …it just stinks. Fortunately they did have security measure in place to protect users. That said you should DEFINITELY update your password for your account. Here’s the full statement from Roll20 below:
Earlier today (2/14), Roll20 was named in a report as one of several victims of an attack by cybercriminals. While we can confirm a breach did occur, we are currently focused on finding out all the facts. For now, it’s important to note the report makes clear that no financial data was included in the breach.
Our security teams work tirelessly to fix potential weaknesses in our systems, and we take seriously our responsibility to safeguard our users’ personal information.
Here’s how we do that:
Roll20 only maintains the following personal information: users’ name, email address, hashed password, last login IP and time of login, and the last 4 credit card digits.
We utilize bcrypt for password hashing, which means that it cannot be reverse-engineered for utilization with other sites or to access Roll20.
We know it’s frustrating to not have all the facts, and we’re working to uncover the full extent of this breach. We will be continuously updating our members with information as our investigation continues.
UPDATE 2/15 2:45 PM PT: Based off the account numbers from breached data, we’ve determined this took place on approximately December 26th. The data size (~700MB) is consistent with being our “account object,” which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset. We are continuing to work internally and with outside investigators to determine the methodology of breach, while also fulfilling GDPR requirements and notifying appropriate law enforcement.
So there is some silver lining there. While the attackers were able to breach the data, a lot of that information was still protected: “no financial data was included in the breach” and passwords “cannot be reverse-engineered for utilization with other sites or to access Roll20.” Whew! Good on Roll20 for that.
That said if you have a Roll20 account, you should log in and RESET YOUR PASSWORD! And one other thing – never, NEVER use the same passwords/usernames across websites. That’s one of the easiest ways for a hacker to get access to your info.
Poster by James White
TL;DR – Roll20 Hacked. You’re probably fine – But change your password.