Online board game and role-playing game company Roll20 has announced that it has suffered a data breach that exposed sensitive user data.
The company confirmed the news in a FAQ posted on its website, which noted that an unauthorized individual gained access to its systems on June 29, using a compromised admin account. From there, they were able to view and modify other people’s accounts.
The threat actor remained in Roll20’s systems for an hour and was able to make changes to one user account during that time. The changes have since been rolled back.
“Action Plan” for the Future
As for other users, their personal data was accessed, the company said. The exposed data included users’ full names, email addresses, last known IP addresses and the last four digits of their credit cards (in case the users provided such information).
Account passwords were not exposed, as only salted, bcrypt hashes are stored. Furthermore, payment details were also not exposed, as Roll20 does not store them on its servers.
Other important information is missing from the FAQ. Notably, the company did not specify how many people were affected by the breach or whether the hackers exfiltrated the information. We also do not know exactly how they gained access to the administrator account, whether the target’s computer was infected with malware or whether the administrator gave away the credentials in a phishing attack.
We have reached out to Roll20 for further clarification and will update the article if we hear from them.
To prevent similar incidents from happening in the future, Roll20 has implemented an “action plan” that includes further restrictions on administrator accounts, further restrictions on the data an administrator can access, and “enhanced security measures, as needed.”
Roll20 is one of the most popular platforms in its category, with over 12 million active users.