Online tabletop and role-playing game company Roll20 have revealed suffered a data breach that resulted in sensitive user data being exposed.
The company confirmed the news in an FAQ post published on its website, noting an unauthorized individual accessed its systems on June 29, using a compromised admin account. From there, they were able to view, and modify, other people’s accounts.
The threat actor dwelled inside Roll20’s systems for an hour, and during this time was able to make changes to one user account. The changes have since been reverted.
“Action plan” for the future
As for other users, their personal data were accessed, the company said. The data exposed includes the users’ full names, email addresses, last known IP addresses, and the last four digits of their credit card (in case the users provided such information).
Account passwords were not exposed since only salted, bcrypt hashes are stored. Furthermore, payment information was also not exposed since Roll20 does not keep it on its servers.
Other key information is missing from the FAQ. Notably, the company did not elaborate how many people were affected by the breach, and whether or not the hackers exfiltrated the information or not. We also don’t know exactly how they gained access to the admin account, whether the target’s computer was infected with malware, or if the admin gave the login credentials away in a phishing attack.
We asked Roll20 for further clarification and will update the article if we hear back from them.
To prevent similar incidents from happening in the future, Roll20 implemented an “action plan” that includes further restrictions to the admin accounts, further restrictions to the data even an admin can access, and “enhanced security measures, as needed”.
Roll20 is one of the most popular platforms in its category, with more than 12 million active users.
