Roll20 was hacked in late December (http://blog.roll20.net/post/182811484420/roll20-security-breach), and the usernames, real names, e-mail addresses, passwords, and the last four digits of the credit or debit cards of four million Roll20 users was stolen and currently on sale on the dark web. Much more concerning is that Roll20 had
no clue about this massive security breach until it was reported on TechCrunch (https://techcrunch.com/2019/02/14/hacker-strikes-again/) yesterday.
Quote from: TechCrunchA hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned. The hacker, whose listing was the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites -- some that had already been disclosed, like more than 151 million records from MyFitnessPal (https://techcrunch.com/2018/03/29/under-armour-says-myfitnesspal-data-breach-affected-150-million-users/) and 25 million records from Animoto (https://techcrunch.com/2018/08/20/animoto-hack-exposes-personal-information-geolocation-data/). But several other hacked sites on the marketplace listing didn't know or hadn't disclosed yet -- such as 500px (https://www.theverge.com/2019/2/13/18223660/500px-security-breach-14-8-million-users-personal-information-stolen-cybersecurity) and Coffee Meets Bagel (https://techcrunch.com/2019/02/14/happy-valentines-day-your-dating-app-account-was-hacked-says-coffee-meets-bagel/).
[...] In all, the hacker is selling the hacked data for about $14,500 in bitcoin.
Quote from: Roll20Based off the account numbers from breached data, we've determined this took place on approximately December 26th. The data size (~700MB) is consistent with being our "account object," which, as earlier stated, contains name, email address, last four of credit card, most recent IP address, and hashed & salted password. While the hash & salt should keep passwords safe, it never hurts to reset.
So if you use Roll20,
change your password immediately.
Better yet, cancel your Roll20 membership, and use a service that's not ran by a petulant child who can't keep his shit secure.
I have hardly ever used Roll20, so deleted it.
Thankfully my credit information isn't even in there.
The password were not stolen only what they call the hash which is a common fail safe to make sure in the even that everything else fail the hacker doesn't know what you type.
The way the technology works is there is a cryptographic algorithm that turns the plain text of what you type in as a password into a hash. It that hash compared to what is stored that determines whether the right password is typed in. The hash is very difficult to reverse engineer taking years of a super computer's time.
I am not concerned about the password side of things. Although periodic changes of one's password is a good thing irregardless.
Their credit card processing was handled off site via Stripe and Paypal. Since the first wave of the internet store front this been becoming way more common as a fail safe. Secure credit card processing is own discipline that not all internet companies are competent in doing. Hence the use of third parties like Paypal by Roll20.
Doesn't mean the data breach isn't serious. However it is not catastrophic. The most severe consequence is that your last four credit card digit will be used as part of data mining. If your credit card # was stolen in a previous hack they could match that and find out a possible email address associated with that card. While serious it is not the end of the world.
I run a weekly game their. Guess it is time to go to Fantasy Grounds.....
Quote from: Grognard101;1075290I run a weekly game their. Guess it is time to go to Fantasy Grounds.....
Honestly, that Roll20 was hacked in and of itself isn't too bad. It happens to practically everyone, including the United States federal government, at this point. What really bothers me though is that Roll20 had
no idea that it was hacked for about a month and a half until it was reported on a technology news website. That has me re-considering my use of Roll20.