Roll20, a popular online role-playing game platform, revealed on July 3 that its systems had been hacked.
It said a “bad actor” gained unauthorized access to the company’s administrative website on June 29 and was able to view and access all user accounts, exposing Roll20 users’ personally identifiable information (PII).
Names, email and IP addresses, and partial banking data revealed
The data concerned includes users’ first and last names, email addresses, last known IP address and the last four digits of the credit card of users who have kept a payment method registered in their Roll20 account.
The company added that neither users’ passwords, protected by a salt and bcrypt hash, nor full payment information were exposed.
“We do not store this information on our servers, it is stored with our payment processors,” the company explained.
“While we have no reason to believe that your personal information has been misused, we are notifying you so that you have the information and tools to help detect and prevent any misuse of your personal information,” he added.
Roll20 told board game news site Dicebreaker that its user base reached 10 million people in 2022. The platform now claims 12 million users on its website.
A Roll20 spokesperson contacted by media did not disclose the total number of users affected by the breach.
Roll20 has implemented a post-incident action plan
In his safety noticeRoll20 said its security team noticed the compromise around 6:30 p.m. PT on June 29.
“The attacker modified a user account and we quickly reversed those changes. At 7:30 p.m. [the same day] “We have blocked all unauthorized access and ended the network breach,” the notice reads.
Roll20 did not specify who the hackers were or how they gained access to the company’s administrative portal.
However, the company confirmed that it has started implementing an action plan following the incident, which includes:
- Further restrict access to administrative accounts to prevent unauthorized access to accounts
- Further restrict the data an administrative user can access
- Adding enhanced security measures if necessary to prevent this incident from happening again
Roll20 users can contact the company via https://help.roll20.net with the subject line “Request for incident data”.
Read more: Discord.io shuts down all operations after massive data breach