Roll20, a popular online board game and role-playing game platform, announced on Wednesday that it had suffered a data breach that exposed the personal information of some of its users.
Roll20 said in a post on its official website that it detected a “malicious actor” accessing accounts on its administrative website for an hour on June 29, after which the company “blocked all unauthorized access and ended the network compromise.”
“A malicious actor modified one user account, and we immediately reverted that modification. During this time, the malicious actor had access to and was able to view all user accounts,” the company wrote.
According to Roll20, the hackers “may have been able to view” personal information about users, including their full name, email address, last known IP address, and the last four digits of their credit card if they had a payment method saved to their account. The company added that the hackers were not able to access any payment information, such as passwords, home addresses, or full credit card numbers.
Roll20 said it was notifying users of the breach. Several users shared screenshots of the email notifications on social media. A TechCrunch reporter also received the notification.
Roll20 spokesperson Jamie Boucher did not respond to a series of questions from TechCrunch, including how many users were affected, how many had their last four digits of their credit cards stolen, how the hackers accessed the administrative accounts, and whether the company has any information about the hackers.
Roll20 has 12 million users on its website and calls itself “the #1 choice for D&D online.”
“We sincerely regret that this incident occurred under our supervision. While there is no evidence of any data being misused and no passwords or card numbers were exposed, we feel it is important to be transparent with our users about the potential exposure of their personal information,” Boucher said in an email to TechCrunch. “We are still investigating and do not have any additional details to share at this time beyond what we shared in the email notification. We prioritized communicating as quickly and transparently as possible, which is why we notified users today.”
In 2019, TechCrunch reported that hackers stole more than 600 million records from 24 websites, including Roll20. The hackers listed 4 million records from the company at the time.
