Tabletop gamers hit by data breach affecting Roll20 gaming site

An abstract image of a lock against a digital background, denoting cybersecurity.

(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Online tabletop and role-playing game company Roll20 have revealed suffered a data breach that resulted in sensitive user data being exposed.

The company confirmed the news in an FAQ post published on its website, noting an unauthorized individual accessed its systems on June 29, using a compromised admin account. From there, they were able to view, and modify, other people’s accounts.

The threat actor dwelled inside Roll20’s systems for an hour, and during this time was able to make changes to one user account. The changes have since been reverted.

"Action plan" for the future

As for other users, their personal data were accessed, the company said. The data exposed includes the users’ full names, email addresses, last known IP addresses, and the last four digits of their credit card (in case the users provided such information).

Account passwords were not exposed since only salted, bcrypt hashes are stored. Furthermore, payment information was also not exposed since Roll20 does not keep it on its servers.

Other key information is missing from the FAQ. Notably, the company did not elaborate how many people were affected by the breach, and whether or not the hackers exfiltrated the information or not. We also don’t know exactly how they gained access to the admin account, whether the target’s computer was infected with malware, or if the admin gave the login credentials away in a phishing attack.

We asked Roll20 for further clarification and will update the article if we hear back from them.

To prevent similar incidents from happening in the future, Roll20 implemented an “action plan” that includes further restrictions to the admin accounts, further restrictions to the data even an admin can access, and “enhanced security measures, as needed”.

Roll20 is one of the most popular platforms in its category, with more than 12 million active users.

More from TechRadar Pro

Indonesian government says national data center was hit in ransomware attack - but it won't pay up
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.