If you needed another reason to use unique passwords on each and every website, here's another; https://techcrunch.com/2019/02/14/hacker-strikes-again/


A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned.

Roll20, a gaming site, had 4 million records listed

Ouch.

What gets me is that according to that article is one/some of the websites (unspecified) stored the passwords in plaintext. That, imo, should be criminal. No wonder Europe has implemented the GDPR, I hope everyone else follows.

Some interesting info, Under Armour announced the Breach March 29th of last year. https://www.uabiz.com/news-releases/news-release-details/under-armour-notifies-myfitnesspal-users-data-security-issue?ReleaseID=1062368

Anoimoto on July 10th; https://techcrunch.com/2018/08/20/animoto-hack-exposes-personal-information-geolocation-data/

Houzz on Feb 4th; https://help.houzz.com/s/article/security-update?language=en_US

px500 on Feb 13th and the breach was from July 2018; https://techcrunch.com/2018/08/20/animoto-hack-exposes-personal-information-geolocation-data/

Coffee Meets Bagel and Roll20 just acknowledged it today; https://techcrunch.com/2019/02/14/happy-valentines-day-your-dating-app-account-was-hacked-says-coffee-meets-bagel/ & https://app.roll20.net/forum/post/7209691/roll20-security-breach

What I wonder, is why some of the sites knew about it before it was publically announced, and why others did not. I suspect that's because some do regular security audits and others don't. But, maybe someone more familiar with security can shed more light?

the breaches are unlikely to have all happened on the same day.
and there is as you suggest a widely varying difference in businesses ability to detect these things...

Roll20's announcement to users:
https://app.roll20.net/forum/post/7209691/roll20-security-breach

Just some food for thought here and to ease people's minds:

Passwords are hashed in our system and we can't recover them, we can only reset/replace them
Our system stores emails, forum posts, blogs and purchase history.
Our system does not store any financial data for customers or customer addresses. Those are all offloaded to PayPal and don't enter our system at all. Even monthly subscriptions are billed directly from PayPal and not from our end.
Steam handles all payment, financial and other information for customers on Steam. We only get enough info to link a purchase to an account here.
We contract out to a firm to regularly review and patch our servers and we apply the latest forum software updates for the stable version we are working with
We maintain and archive server access and error logs that we periodically review with our outside contractor
We utilize Cloudflare as an extra layer of protection on top for protection against a wide array of attacks


I do encourage people to use different passwords for different sites.

Thank you very much for the info, we all appreciate your efforts at keeping our info safe.

Thanks for the info Doug. FYI, I wasn't fishing for a response from you, but do appreciate it!

I do encourage people to use different passwords for different sites.

I recommend using LastPass or similar to manage your passwords.

Keepass is a great free alternative for anyone needing a password manager.

In Cyber Security the approach is not "if we get hacked" but "when we get hacked" and the policies/approach the company takes to address the issues.

I think its very open and transparent what ddavison has posted regarding the information held about us - their customers and users.

One thing to be aware of is like all contracts - if SmiteWorks were to have a data breach in the future, SmiteWorks is responsible for our data - if they choose to use a 3rd party to process our data/payments/update servers/...etc it would not remove SmiteWorks responsibility to protect their userbase/data as our contract is with SmiteWorks, and SmiteWorks contract is with the 3rd party (not us).

Saying that I believe SmiteWorks would work with us and be transparent unlike many other companies - this being based on their approach to customer engagement in the past.




Just some food for thought here and to ease people's minds:

Passwords are hashed in our system and we can't recover them, we can only reset/replace them
Our system stores emails, forum posts, blogs and purchase history.
Our system does not store any financial data for customers or customer addresses. Those are all offloaded to PayPal and don't enter our system at all. Even monthly subscriptions are billed directly from PayPal and not from our end.
Steam handles all payment, financial and other information for customers on Steam. We only get enough info to link a purchase to an account here.
We contract out to a firm to regularly review and patch our servers and we apply the latest forum software updates for the stable version we are working with
We maintain and archive server access and error logs that we periodically review with our outside contractor
We utilize Cloudflare as an extra layer of protection on top for protection against a wide array of attacks


I do encourage people to use different passwords for different sites.

I find spelling mistake in the title of this thread to be annoying. :cry:. I really doubt this data breach caused any gaming sites to come into being.

I find spelling mistake in the title of this thread to be annoying. :cry:. I really doubt this data breach caused any gaming sites to come into being.
Well, I've never understood, or cared about the difference in effected and affected, so, oh well :)

Most people do not care about their security until something happens

I find spelling mistake in the title of this thread to be annoying. :cry:. I really doubt this data breach caused any gaming sites to come into being.
I changed it for you :)

I changed it for you :)

Ta.