Roll20, a widely used platform for online tabletop role-playing games (RPGs), revealed on July 3 that it had fallen victim to a security breach. According to their official statement, an unauthorized party successfully accessed Roll20’s administrative website on June 29, compromising sensitive personal information of its user base. The breach exposed a range of personally identifiable details including users’ names, email addresses, the last known IP addresses, and the last four digits of credit card numbers for those who had stored payment methods on their accounts. Notably, Roll20 assured users that passwords, which are protected with robust encryption methods like salt and bcrypt hash, were not compromised since they are managed by external payment processors rather than stored locally.
In response to the breach, Roll20’s security team acted swiftly upon discovering the intrusion. They detected the unauthorized access at approximately 6:30 PM Pacific Standard Time on June 29 and promptly took action to reverse any unauthorized modifications by 7:30 PM the same day. They also quickly secured their systems to prevent further access and have since launched a comprehensive post-incident action plan. This plan includes tightening access controls to administrative accounts, limiting the scope of data accessible to administrative users, and implementing additional security measures to bolster their overall system defenses against similar threats in the future.
Roll20, known for its expansive community and reported user base of 12 million, has reached out to affected users to provide guidance on monitoring and protecting their personal information. While specific details on the number of users impacted were not disclosed, the platform has set up a dedicated support channel for users to address any concerns or queries related to the breach. This incident highlights the ongoing challenges and risks associated with cybersecurity in digital gaming platforms, underscoring the need for stringent security protocols and proactive measures to safeguard user data and maintain trust within online communities of gamers and RPG enthusiasts alike.
