Roll20, a Virtual Tabletop RPG Platform, Reveals Security Breach

The online gaming platform specializing in table-top and RPG experiences, Roll20, revealed on Wednesday its recent confrontation with a data security incident, leading to the unintentional disclosure of certain user information.

Through an announcement on its website, Roll20 reported that an unauthorized individual accessed an administrative account on June 29 for a duration of one hour before the intrusion was detected and subsequently halted.

Roll20 elaborated that this security compromise resulted in the alteration of a single user account, which was quickly corrected. However, during the breach, the intruder had the capability to browse through all user profiles.

Roll20 has acknowledged that the intruder might have viewed personal details of its users, including names, email addresses, the last IP address used, and the last four digits of credit card numbers for those who had payment details saved on the platform. It reassured users, however, that complete credit card details and passwords remained secure and inaccessible.

The company is actively reaching out to inform affected users. Notifications have been echoed by individuals on various social networks, with links to several posts sharing the email notifications. This development was also personally confirmed by a TechCrunch journalist who received the notice.

Inquiries made by TechCrunch regarding the scope of affected users, the number of those with compromised credit card digits, the method of unauthorized access, and any details on the identity of the culprits were left unanswered by company spokesperson Jayme Boucher.

Boasting 12 million users on its platform, Roll20 claims the title of the foremost virtual home for Dungeons & Dragons enthusiasts online.

“This unfortunate incident, unfolding under our supervision, is deeply regretted. Despite having no indications of misuse and with no password or full credit card details exposed, we choose to uphold a stance of transparency with our users regarding the safety of their personal data,” responded Boucher to TechCrunch via email. “Our ongoing investigation has yet to reveal more specifics beyond our initial email alert. Prompt and open communication with our user base has been our priority throughout this issue.”

Back in 2019, TechCrunch uncovered a massive data heist where a hacker purloined over 600 million records from 24 platforms, including Roll20, then went on to sell 4 million of these records online.