There’s been a new data breach at Roll20. The following information from your account may have been exposed;
- First Name
- Last Name
- Last four digits of your credit card (if you stored one)
- Last known IP address
The incident came to life at 6:30pm on June 29th, and by 7:30pm Roll20 had shut it down. Roll20, however, has yet to say when the unauthorised access began, only that they learned about it at 6:30pm.
The illicit access to Roll20’s systems was a compromised admin account with permissions to look at data and details regular accounts cannot.
Roll20 have said;
We take your privacy and security very seriously, and we deeply regret that this incident occurred. We will be implementing an action plan to further enhance the security of our administrative tools going forward.
This blogger notes that taking less than a week to go from dealing with the data breach to telling customers about it is good, unfortunately rare, but best practice.
Roll20 has been hacked before, including being one of the victims in a notorious mega hack in 2019. In response to that hack, Roll20’s lead designer said;
Roll20 only maintains the following personal information: users’ name, email address, hashed password, last login IP and time of login, and the last 4 credit card digits.
Those security policies seem to have borne fruit, as we can see only a subset of that limited data has been exposed by this incident.
If you’re worried you may have been affected, Roll20 has provided the following next step;
If you have questions, or if you would like to view a copy of your account data that the third party may have had access to, please reach out to us at https://help.roll20.net and create a support ticket with the subject line “Incident Data Request” and we will be happy to assist you.
What are your thoughts? Strike up a discussion and leave a comment below.