A hacker has bombarded OneBookShelf’s DriveThruRPG and DM’s Guild sites with login attempts using password and email combinations gathered gleamed from unrelated sites. It’s the classic scenario wherein security experts advise you to use different passwords on different sites.
OneBookShelf has confirmed that some accounts have been affected and the hacker has been able to withdraw money. The retailer has contacted everyone affected.
OneBookShelf has also confirmed they will be reimbursing whatever funds have been lost during the hack.
A statement from the company said;
Yesterday morning a hacker accessed multiple accounts on DriveThruRPG, DMsGuild or other OneBookShelf site and succeeded in withdrawing earnings from account balances to the hacker’s own PayPal accounts.
At this time, we believe the hacker was using a database of email/password credentials stolen from other site(s) and attempting to see if the same email had an account on our site as well and if such account used the same password on our site. An extremely large network of “zombie” devices have been used in this attack to deluge our site with such log in attempts. It would seem that the hacker got a match on a few accounts and therefore successfully logged in as the publisher/author and withdrew funds from the author’s OneBookShelf account.
To be clear, there is zero evidence that our database or servers were hacked or compromised. Only certain customer accounts were logged into and funds fraudulently taken from those accounts.
Sites do not always reimburse money when accounts are ‘compromised’ by a hacker knowing a successful password and login combination.
Publishers and affiliates first suspected a problem when it becomes impossible to withdraw money from OneBookShelf accounts. The retailer temporarily suspended their withdrawal functionality as part of their defence against the malicious attack on their systems.
OneBookShelf has communicated the news to publishers but is yet to make a wider public announcement on what is probably still a live situation.
Thoughts? Can you contribute to this article? Share your insight in the comments below.
Hmm, around the 15th of October I had my card used to buy Steam gift cards. I bought something on Drivethrurpg a day or 2 before that. I suspected they were the cause of the lost cc details and notified them. This article is the first thing I’ve heard about this breach (so if I’m right, this is incorrect both in the reach of the breach, and they haven’t notified everyone affected). I was also hit in the previous breach in 2015. In both cases the money was returned to me by my card company within mere hours, so I’m… Read more »
Sorry to hear you’ve had bother, pleased it’s been sorted out by your card provider. If it gives you any peace of mind, what happened to you does not fit the DriveThruRPG attacks scenario. In this case, usernames and passwords hacked from elsewhere we used to try and withdraw money from PayPal via DriveThruRPG. It wasn’t about credit cards. If you suspect you’ve been using the same username and password combination on more than one site, it would be likely that if there was a credit card level breach, then it happened somewhere else and perhaps from whichever site gave… Read more »