Go an email just now saying that DriveThruRPG/RPGNow had been hacked and customer data may have been stolen.

Hackers and hacking attempts continue to increase at a very significant pace. The FGCon website gets between 500 and 7000 hack attempts per hour. That is every hour and that is only one website on that server. Even the Teamspeak server gets stupid DDOS attacks on it quite regularly. An example of how hard this is to combat:
There is a botnet attempting to hack both the control panel and the word press admin sections of FG Con. Each attacking ip address tries only 2x and then the next computer tries. This botnet of many 10's of thousands of computers each login to a central server and get told what website/address/username/password to try and they then report back their results and get new instructions. It is impossible to block/firewall them because they only try twice. Each of these botnet computers can attempt hundreds of logins every minute.

For your own safety - please use very strong passwords (at least 12 alpha/numeric/specials) in your passwords and do not reuse passwords. Check your credit card statements every month and report anything unusual immediately.

Wondering why I didn't get an email i checked their Facebook. Apparently credit card data for purchases between July and August were captured. Login info should be ok but if you got that email you should check/replace your credit cards you used with DTRPG.

From the faq:


Q: Should I ​contact you to see if my credit or debit cards were affected?

​A: If your card was among those that were potentially affected, then we have already sent you an email about it. If we did not send you an email, then yours was not one of the cards that were potentially affected.​

Sorry to hear it, damned :( Glad I didn't get the e-mail either.

I have to strongly suggest you don't ever have a site save credit card info if they are not your bank or someone like Amazon. Damned was being generous, I'd suggest strong 16 character passwords. It's trivial for a mediocre video card to brute force a password of 6 or less characters and you don't start getting any real security until strong 12 character passwords, IMO.

Credit cards are insured, and you are not responsible for any fraud. Which is why I don't have a problem with saving my CC info on websites.

Ah yes, but your time isn't insured or the hassle of getting a new card, etc. :p

Last time I had to do it, it took like 5 minutes. Having to dig out my wallet and enter the info into the website is going to eat up that 5 minutes pretty quickly.

I got the email, had to cancel my card and tomorrow I have to get my bank to issue a new one. A bit of hassle, but not too bad. From now on, I'm ONLY using Paypal with DriveThruRPG. And, at least nothing was stolen but my time...

It's funny how they used a standard form to notify their customers; and they didn't proof-read it very well. How can I tell? They forgot to put their company name in the appropriate spot: "Security has always been our top concern and up until this incident we were proud of our security record at ." ROFL What security record was that?

So, you had fraud on your card?

i only use paypal on drivethru but these events are happening way to often even to very big organisations that should know better, how long before we all have two step verification of all online card purchases?

Umm Paypal can also get hacked. https://www.ibtimes.com/paypal-accounts-hacked-click-engineer-uncovers-potential-security-breach-1735158

Personally I don't store any cc info on any site, and generally try to only use a re-loadable gift card for small one time purchases.

That Paypal thing is not hacking, that's phishing. The end user needs to click on something for that "hack" to work. It's exactly the same as if the user went to hackme.ru and typed in their password. The DTRPG thing was a network breach where software was installed on one of two servers and was intercepting traffic and reporting it back to someone. Not a case of a user being silly and handing over their password.

By not storing your credit card you're vulnerable to phishing too. You're expecting to have to type in your info every time you might not notice that one field is slightly different while if your info is supposed to be stored you'd stop and wonder why you're having to put it in again.

generally try to only use a re-loadable gift card for small one time purchases.


Sounds like a pain in the butt to me; especially considering I'm already insured against fraud on my CC. The only time I would use something like this is if I'm dealing with someone who has a reputation for theft, like a debt collector or something.

I tried to use gift cards with PayPal once. The vendor wouldn't allow multiple credit cards but would accept PayPal, so I thought why not add the gift cards to Paypal!

So I added my $15 rebate gift card to PayPal and entered it as payment for my $15 token pack.. and it was declined! What? Apparently PayPal had charged $1 to the gift card to make sure it was real so when I tried to use it to buy $15 it said you only have $14 available... grr. I didn't want to wait so just used "real money" instead. heh

I'm already insured against fraud on my CC

at least here in AUS the banks are very willing to reimburse their customers for fraudulent transactions - not that the bank usually loses out either - they cancel the payment to the merchant so the merchant wears the cost - so whilst you should always take lots of care it is unlikely that you or I will get left out of pocket from a hacking instance.

In the US, the banks don't have to be "willing" - it's federal law. And the major CC processors (VISA/MasterCard) are insured against fraud. Actually, even while the merchant is initially "charged back" for fraud, if they can show that they were not involved - ie, it wasn't one of their employees involved in the fraud - most of the time they eventually get payment and Visa / MasterCard eats the cost.

I've just had some fraudulent activity on the credit card I had on file at DTRPG (three charges at various retail stores). My credit card company (Capital One) noticed the possible issue (SMSing and emailing me regarding it) and I'll be covered by their fraud prevention policy. So, no money lost and only now will I need to get a new credit card sent to me and my old one cancelled. A bit of a PITA but I didn't lose any money.

Got unusual cc charges today, had to cancel card I wonder if it was from here.

Retail stores? Usually online theft is associated with online purchases. I just checked mine, nothing unusual.

Not sure was purchases in the states, the bank rang me up and said this is unusual I said yes you should cancel.

Thankfully we don't store Credit Card info on our site. We hand off to Paypal right away and let them worry about fending off the hackers. Hackers suck, though.

Has anyone found fraudulent charges for cards they used to pay for stuff on DTRPG if the didn't save the CC info? I don't save the CC info, but I have bought things on there from time to time and I obviously have a business account with them.

I just poked through my account history (on account of having issues with my local gas stations, again... I don't save my DTRPG CC info either) and didn't see anything unusual.