Popular online tabletop and role-playing game platform Roll20 announced on Wednesday that it had suffered a data breach that exposed personal information of some of its users.
In a post on its official website, Roll20 said it detected that a “malicious actor” had accessed an account on its administrative website for an hour on June 29, after which the company “blocked all unauthorized access and terminated the network breach.”
“A malicious actor made changes to one user account that we immediately reverted. During this time, the malicious actor was able to access and view all user accounts,” the company wrote.
Roll20 said the hackers “may have been able to view” users' personal information, including full names, email addresses, last known IP addresses, and the last four digits of credit card numbers (if users have a payment method registered to their account). The company added that the hackers did not have access to passwords or full payment information, such as home addresses or credit card numbers.
Roll20 said it was notifying users about the breach. Several users shared screenshots of the email notifications on social media, including one that a TechCrunch reporter received.
Roll20 spokesperson Jamie Boucher declined to respond to a list of questions from TechCrunch, including how many users were affected in total, how many had their last four credit card digits stolen, how the hackers gained access to the administrator account, or whether the company has any information about who the hackers might be.
On its website, Roll20 says it has 12 million users and is the “#1 choice for online D&D.”
“We are truly sorry that this incident occurred on our watch. While there is no evidence that any data was misused and no passwords or card numbers were leaked, we believe it is important to be transparent with our users about the potential exposure of their personal information,” Boucher told TechCrunch via email. “We are still investigating and cannot provide any further details at this time beyond what we shared in our email notification. Our priority is to provide maximum transparency as quickly as possible, which is why we notified users today.”
In 2019, TechCrunch reported that hackers had stolen more than 600 million records from 24 websites, including Roll20. At the time, the hackers had listed 4 million records from the company.