Roll20, an online tabletop and role-playing game company, has revealed that it experienced a data breach, resulting in the exposure of sensitive user data.
The company confirmed this information in a FAQ post on its website. It noted that an unauthorised individual gained access to its systems on June 29th using a compromised admin account.
During the breach, the attacker was able to view and modify other users’ accounts. The intruder remained within Roll20’s systems for an hour and was able to make changes to one user account, which has since been reverted.
The company reported that the personal data of other users was accessed. The exposed data includes full names, email addresses, last known IP addresses, and the last four digits of credit card numbers, if provided by the users. The company assured that account passwords were not exposed, as they are stored as salted, bcrypt hashes.
Additionally, payment information was not compromised as it is not stored on Roll20’s servers.
However, the FAQ lacks some key information. The company did not disclose how many people were affected by the breach, and whether the hackers managed to take the information.
It is still unknown how they gained access to the admin account. It’s unclear whether the target’s computer was infected with malware, or if the admin gave the login credentials away in a phishing attack.
To prevent similar incidents in the future, Roll20 has implemented an “action plan.” This plan includes additional restrictions on admin accounts and data access, as well as enhanced security measures as necessary.
Roll20 is a highly popular platform, boasting over 12 million active users.
Image Credit: Roll20