Popular online board and role-playing game platform Roll20 announced on Wednesday that it had suffered a data breach, exposing the personal information of several of its users.
In a post on its official website, Roll20 said that on June 29 it discovered that an “adversary” had gained access to an account on the company’s administrative website for an hour, after which the company “blocked all unauthorized access and terminated the network breach.”
“The attacker modified one user account and we immediately rolled back those changes. During this time, the attacker was able to access and view all user accounts,” the company wrote.
According to Roll20, the hacker could have potentially accessed users’ personal information, including their full name, email address, last known IP address and the last four digits of their credit card, if the user had a payment method saved to their account. The company added that the hacker did not have access to passwords or full payment information such as home addresses and full credit card numbers.
Roll20 said it is notifying users of the breach. Several users shared screenshots of the email notification on social media. A TechCrunch reporter also received the same notification.
Roll20 spokesperson Jayme Boucher declined to respond to a series of questions from TechCrunch, including how many users were affected in total, how many users had the last four digits of their credit cards stolen, how the hacker gained access to the administrator account, and whether the company has any information about who the hacker or hackers were.
Roll20 says on its website that it has 12 million users and is “the #1 choice for D&D online.”
“We deeply regret that this incident occurred during our oversight. While we have no evidence that data was misused and no passwords or card numbers were exposed, we feel it is important to be transparent with our users about any potential exposure of their personal information,” Boucher told TechCrunch in an email. “We are still investigating and do not have any further details to share at this time beyond what we shared in our email notification. We have prioritized being as transparent as possible as quickly as possible, which is why we notified users today.”
In 2019, TechCrunch reported that a hacker had stolen more than 600 million records from 24 websites, including Roll20. At the time, the hacker had listed 4 million records from the company.