Roll20, a popular online tabletop platform for role-playing games (RPGs), revealed on July 3 that its systems had been breached.
It said a “bad actor” gained unauthorized access to the company’s administrative website on June 29 and could view and access all user accounts, exposing Roll20 users’ personally identifiable information (PII).
Names, Email and IP Addresses, and Partial Bank Data Exposed
The data concerned include users’ first and last names, email addresses, the last known IP address and the last four digits of the credit card of users who maintained a stored payment method in their Roll20 account.
The company added that neither the users’ passwords, protected by a salt and a bcrypt hash, nor payment complete information have been exposed.
“We do not store that information on our servers, it is stored with our payment processors,” the firm explained.
“While we have no reason to believe that your personal information has been misused, we are notifying you so that you have the information and tools necessary to help detect and prevent any misuse of your personal information,” it added.
Roll20 told board game news website Dicebreaker that its user base had reached 10 million people in 2022. The platform now claims 12 million users on its website.
A Roll20 spokesperson contacted by the media did not disclose the total number of users affected by the breach.
Roll20 Implemented a Post-Incident Action Plan
In its security advisory, Roll20 said that its security team noticed the compromise at approximately 6.30 pm Pacific Standard Time on June 29.
“The bad actor modified one user account, and we promptly reversed those modifications. By 7.30 pm [the same day] we had blocked all unauthorized access and ended the network breach,” the advisory reads.
Roll20 did not share who the hackers were nor how they gained access to the company’s administrative portal.
However, the company confirmed it started implementing an action plan following the incident, which includes:
- Further restricting access to the administrative accounts to prevent unauthorized account access
- Further restricting the data that an administrative user can access
- Adding enhanced security measures as needed to prevent this incident from happening again
Roll20 users can contact the company via https://help.roll20.net with the subject line ‘Incident Data Request.’
Read more: Discord.io Halts All Operations After Massive Data Breach