Roll20 Security Breach – Reset Your Account Passwords

3 Minute Read

Feb 16 2019

Roll20. the popular digital playground to run your RPG sessions was unfortunately hacked – but all is not lost! But you might want to update your account password.

The virtual tabletop and amazing tool set site Roll20 suffered a security breach late last year. Frankly, that sucks. As a fan of that site and tools they have …it just stinks. Fortunately they did have security measure in place to protect users. That said you should DEFINITELY update your password for your account. Here’s the full statement from Roll20 below:

via Steve K, Roll20

Earlier today (2/14), Roll20 was named in a report as one of several victims of an attack by cybercriminals. While we can confirm a breach did occur, we are currently focused on finding out all the facts. For now, it’s important to note the report makes clear that no financial data was included in the breach.

Our security teams work tirelessly to fix potential weaknesses in our systems, and we take seriously our responsibility to safeguard our users’ personal information.

Here’s how we do that:

Roll20 only maintains the following personal information: users’ name, email address, hashed password, last login IP and time of login, and the last 4 credit card digits.
We use Stripe and PayPal to process transactions; all billing information is handled by them and never touches our servers.

Advertisement
We utilize bcrypt for password hashing, which means that it cannot be reverse-engineered for utilization with other sites or to access Roll20.

We know it’s frustrating to not have all the facts, and we’re working to uncover the full extent of this breach. We will be continuously updating our members with information as our investigation continues.

UPDATE 2/15 2:45 PM PT: Based off the account numbers from breached data, we’ve determined this took place on approximately December 26th. The data size (~700MB) is consistent with being our “account object,” which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset. We are continuing to work internally and with outside investigators to determine the methodology of breach, while also fulfilling GDPR requirements and notifying appropriate law enforcement.

So there is some silver lining there. While the attackers were able to breach the data, a lot of that information was still protected: “no financial data was included in the breach” and passwords “cannot be reverse-engineered for utilization with other sites or to access Roll20.” Whew! Good on Roll20 for that.

That said if you have a Roll20 account, you should log in and RESET YOUR PASSWORD! And one other thing – never, NEVER use the same passwords/usernames across websites. That’s one of the easiest ways for a hacker to get access to your info.

Poster by James White

Subscribe to our newsletter!

Get Tabletop, RPG & Pop Culture news delivered directly to your inbox.

By subscribing you agree to our Terms of Use and Privacy Policy.

TL;DR – Roll20 Hacked. You’re probably fine – But change your password.

Don't Miss:

Author: Adam Harrison

Writer, Editor, Texas Native, and Austinite for 15+ years, Adam covers all things Tabletop Gaming. Which includes Warhammer 40,000, Age of Sigmar, D&D, Board Games and everything else that involves dice, boards, cards and a table. A hobbyist, player, and collector of miniatures and games, Adam's current obsession are his Death Armies for Age of Sigmar, his Blood Angels and Tyranids for 40k, and his ever growing Arkham Horror: The Card Game Collection.

Roll20 RPGs Tabletop News