Online role-playing and board game company Roll20 has revealed that it suffered a data breach that resulted in the exposure of sensitive user data.
The company confirmed the news in a FAQ post on its website, which notes that an unauthorized individual accessed its systems on June 29 using a compromised administrator account. From there, they were able to view and modify other people's accounts.
The threat actor remained inside Roll20's systems for an hour, and during that time was able to make changes to a user account. The changes have since been reverted.
“Action plan” for the future
As for the other users, their personal data was accessed, the company said. Among the data exposed were full names, email addresses, last known IP addresses and the last four digits of their credit card (if the users had provided such information).
Account passwords were not exposed, as only salted bcrypt hashes are stored. Additionally, payment information was not exposed either, as Roll20 does not store it on its servers.
Other key information is missing from the FAQ. In particular, the company did not explain how many people were affected by the breach or whether the hackers leaked the information. We also don't know exactly how they gained access to the administrator account, whether the target's computer was infected with malware, or whether the administrator handed over the login credentials in a phishing attack.
We've asked Roll20 for further clarification and will update this article if we hear back.
To prevent similar incidents from happening in the future, Roll20 has implemented an “action plan” that includes further restrictions on administrator accounts, more restrictions on what data even an administrator can access, and “enhanced security measures as needed.”
Roll20 is one of the most popular platforms in its category, with more than 12 million active users.
