Roll20 have shared information about the attack in February when they discovered the issue. At the time they confirmed names and email addresses had been taken along with the last 4 digits of credit cards. They also stressed that they used Stripe and PayPal for full processing and so full payment details were never on their servers. They used bcrypt for password hashing.
Dark Web Activity
HIBP says that a source at
[email protected] provided them with the data necessary to update their systems. A Google search reveals that Jim Scott has an established history of supplying HIBP with breach information.
What may be new is the activity that kicked Have I Been Pwned and researchers into action. Hacked data that surfaces on the dark web is often the trigger that security sites use to confirm that the hack was real and that the data is now compromised.
It possible that the Roll20 hackers have now started to try and sell their list of email addresses. These security monitors and researchers may have detected the attempt, and this has resulted in the fresh batch of alerts.
Geek Native has seen a small surge in activity on the old Roll20 report and conversations and alerts about the months-old hack on Discord and other community.
At the time there’s no suggestion that there’s been any new Roll20 breach or any more information has been discovered. Roll20 took part (and may still be taking part – details like this aren’t discussed in public) an investigation into the attack.
Google has a free Chrome extension called Password Checkup that helps automate this process. If Google’s web crawlers have seen password or account details, and you log in to an affected site using compromised details, then the extension warns you.
Services like LastPass are worth considering, though nothing is perfect, as they make it easier to avoid re-using the same password for all the sites you log into and can help generate secure passwords in the first place.
Are you worried about the Roll20 security breach?