I just got a e-mail, from the former company I used for a VTT, stating they had a data breach and my info is no longer secure. What are the people at Fantasy Grounds actively doing to protect us all from this happening here? Just Curious...

Defense in depth please

To clarify, I assume you mean the Data Breach for Roll20 that was announced last February and that the Orr Group published the completion of their investigation this week?

I will say that we all should be using unique passwords on each website/account we use rather than a standard password on all sites.

Will have to let SmiteWorks reply to what they are doing, but just wanted to make sure no one was confused that the data breach might have affected FG accounts.

See details from the Smiteworks president here: https://www.fantasygrounds.com/forums/showthread.php?47942-Data-Breach-Gaming-Sites-Affected&p=426411&viewfull=1#post426411

hmmm hopefully someone from smite works is able to answer this question with some current information. I have put a lot of money into this system and would hate to lose it all since we are not protected.

An old statement from 2008? (11 years ago) hmmm hopefully someone from smite works is able to answer this question with some current information.
The post Trenloe linked is 5 months old.

An old statement from 2008? (11 years ago) hmmm hopefully someone from smite works is able to answer this question with some current information.
That post is from February this year (2019).

yeah I see that but this seems to be a thing now. I just want peace of mind

and I edited my post to what I had said

and good job quoting a post that I edited like 10 seconds later LOL

No company publishes their defenses.
The breach you reference states the same.
Its safe to assume that this website is the target of numerous hacking attempts.
Even as consumers we should be aware that every place that we have data stored will potentially be hacked and we should ensure that a breach of one place will not allow other places to be breached.
The two biggest things that every one of should do is:
1. Protect your email account(s) as much s you can - very secure passwords, secure connections only, dont connect to your email over public wifis and use two-factor-authentication
2. Use secure and unique passwords on every site

Just looking for some straight answers. All I get from this is we use a service, change your passwords, and we update. I guess I will just hope for the best.

Just looking for some straight answers. All I get from this is we use a service, change your passwords, and we update.
That post I linked from 5 months ago probably has more info than you'll get from most companies and has very straight answers. Just what exactly are you looking for? As FG don't store an accessible version of your password on the system the advice to change your passwords is based on people getting that from other systems, not from FG.


I have put a lot of money into this system and would hate to lose it all since we are not protected.
That post shows that if there's an FG breach no financial data will be accessed (other than your orders), no password information, or other info that would really cause concern. The most they'll be able to get is your email address, that they probably already have from other data breaches.

So I don't understand how you think you're not protected or that you'll "lose it all".

What do you want?
"We use;
- XYZ service
- MNO encryption with bob method bob password hashing
- on a Mary SQL data base at version 1.2.3
???

Those are the types of details that a hacker would want to know to make hacking the database easier. First, Smiteworks has said that they do not store financial information on any customers. They use PayPal and Steam and allow those sites to manage and be responsible for the financial information.

In that regard, what information does SW have on their customers. Well if I look at my account they have;
- my email address
- an encrypted and hashed password
- the date you created you account and whatever info you put in your profile
- the list of things I have purchased from them

And, they also keep logs of everything and have a third party firm verify their security compliance.

They do NOT have;
- my credit card number, bank account number or any other financial information
- data of birth, address, social security number

What are you afraid that someone might get IF they breached SW's servers? Worst case is a hacker might delete your purchase history and SW would have to go to a backup to verify your purchase history.

Ask the same question of your bank and they too wont give you details of their setup or protection other than what you already know. All businesses keep this information to themselves.

well from my understanding the company you use only protects from ddos attacks and wouldn't do jack. Also, hearing that you do have a backup incase my account is deleted or removed is exactly the information I was looking for. Lets see what I want. A. tell me Smiteworks has a 5 year and a 10 year plan for cyber security. B. are you actively testing your own software for vulnerabilities. C. These are all reasonable questions. I am not a hacker, but I know a few in cyber security. I have my answers, will seek more details else where since clearly you are being combative in this topic. Thanks and have a great day

Just looking for some straight answers. All I get from this is we use a service, change your passwords, and we update. I guess I will just hope for the best.

One thing you should consider is that if they give you the straight answers you want your data would become less secure. The more information that is out there about specifics the more probability of a successful hack. It is not bulletproof but it is another layer of data security. As a person familiar with data security you are more likely to find your info breached at a larger firm (banks, card handlers and online retailers) than smaller firms. The information that can be gotten about you from those larger types is infinitely more damaging than the limited data Smiteworks has about you.

Your biggest point of vulnerability or security is actually you and your password. My recommendation is use a unique password with multi-case alphanumeric characters with several random symbols thrown in here and there of at least 16 characters in length. One of the principle ways a malicious hacker gets into an account is to gain information of one site and then try the username/email password combination on other sites. So if you have a different password on every site you use you are safer even in the event of a data breech.

Hey smiteworks I know I'm kinda new here but I would like to know the address of your company and the locations of all your security cameras and I need to know the passwords to get in and where you keep your car keys and the ss# of all your employees so I can evaluate my security if I buy your product.

Just looking for straight answers. K thx bai.


Also, and this is VERY important....boxers or briefs?

well from my understanding the company you use only protects from ddos attacks and wouldn't do jack. Also, hearing that you do have a backup incase my account is deleted or removed is exactly the information I was looking for. Lets see what I want. A. tell me Smiteworks has a 5 year and a 10 year plan for cyber security. B. are you actively testing your own software for vulnerabilities. C. These are all reasonable questions. I am not a hacker, but I know a few in cyber security. I have my answers, will seek more details else where since clearly you are being combative in this topic. Thanks and have a great day
You do know that no one (myself included) that has answered or posted in this thread actually works for or represents the company that makes Fantasy Grounds?

The only statement from SmiteWorks or it's employees or representatives is the one that you were linked to early.

I'm sorry you feel we are being combative. I truly do not believe that is anyone's intent. I know its' not my intent.

The one service that SmiteWorks named, Cloudflare, you are correct in that it is designed to secure against DDoS attacks. And though those are annoying, they really have little to do with information security. The other measures that SmiteWorks alluded to in their post are other aspects of their security profile, the ones that are more important, imo.

But it all comes down to one important aspect, what information does SmiteWorks have on you that you are worried might be breached? They themselves do not store or collect any personally identifiable or financial information (note the part about PayPal and Steam handling all of that). The only important information they really have is your purchase history, which is easy to backup and restore in the event of a disaster/breech.

well from my understanding the company you use only protects from ddos attacks and wouldn't do jack. Also, hearing that you do have a backup incase my account is deleted or removed is exactly the information I was looking for. Lets see what I want. A. tell me Smiteworks has a 5 year and a 10 year plan for cyber security. B. are you actively testing your own software for vulnerabilities. C. These are all reasonable questions. I am not a hacker, but I know a few in cyber security. I have my answers, will seek more details else where since clearly you are being combative in this topic. Thanks and have a great day

Nobody is being combative but you.

If you know actual cyber security people ask them specifically how they protect their networks. If they tell you, tell them they suck at their jobs for me. I would never tell you or anyone outside my direct chain of command what was being done to protect the network. If you asked me about networks under my care I'd say sorry but that information is confidential.

As for what you know or don't know your assumption is basically guesswork.

A 5 year or 10 year plan is basically a setup for failure. What you need is a constantly evolving plan or a security service that is managing that for you.

Most hosting services offer services that constantly check websites for known vulnerabilities and provide the client with regular reports. It would be safe to make the assumption that most forward facing commercial entities take advantage of that.

Finally any actual banking data is stored at PayPal and not Smiteworks so basically you are stressing yourself about your email address, any info you have added to the forum profile and your purchase info. Even the password is encrypted and while it could likely eventually be decrypted the number of password wouldn't be worth the effort compared to large financial entities and such.

Smmiteworks does not host the games you play. That is an important distinction from R20. If someone hacks your game, they get your game and that's it. Make sure the password you use here is different from the password you use anywhere else, and there is very little information they can get from you here. Even most of the financial information is stored at PayPal and not with Smiteworks.

A 5 year or 10 year plan is basically a setup for failure. What you need is a constantly evolving plan or a security service that is managing that for you.

Most hosting services offer services that constantly check websites for known vulnerabilities and provide the client with regular reports. It would be safe to make the assumption that most forward facing commercial entities take advantage of that.

100%.
I do a lot of work in cyber security. Its not my exclusive gig but I spend more than a third of my time on cyber security now.
I dont have a 2 year plan for cyber security.
Every day we learn more about the current threat environment from published vulnerabilities and fixes, from changing traffic patterns in logs, from shared discussions with others operating in my space and from the @#$% I deal with every day.
We make multiple changes and updates across all of our networks every week.
Todays best practice mght be frowned upon tomorrow and possibly laughed at in 2 years.



Hey smiteworks I know I'm kinda new here but I would like to know the address of your company and the locations of all your security cameras and I need to know the passwords to get in and where you keep your car keys and the ss# of all your employees so I can evaluate my security if I buy your product.

Just looking for straight answers. K thx bai.


Also, and this is VERY important....boxers or briefs?

Briefs. I just feel safer in briefs ok.

I am certainly glad you are both not doing my cyber security LOL. If you do not have a budget plan, training plan, hiring plan, talent recruitment plan, and resource allocation plans for cyber security that goes forward 5 years or more looking towards the what ifs and trends of the field, you are going to fall behind. Goals and mile stones are huge. IN addition you could have said I don't know or said we have a plan that protects against this or that or even better pointed me in the direction of someone who may be able to. Lastly, briefs are for old people. Boxers ftw.

@bukkyo- get real. Sorry, but you really need to get real. SmiteWorks is not some massive company with hundreds of employees and budgets that allow them to plan that far into the future. We're talking about the RPG industry here, not some MMO or console company that has millions of turnover and stores financial details about you.

And, again giving you some reality here, I think you'll find that most small companies with some form of Internet presence which stores a small amount of your data is in the same boat.

Quite frankly, with your viewpoint I'm surprised you even go onto the Interent, because 99% of the websites out there don't have anything like the years into the future plans you seem to think are essential. Disconnect from the 'net!!!

Oh Bukkyo, what shall we do against the vile marauders at the door?! Will you protect us, oh noble Bukkyo? Name your price stalwart defender, and I shall certainly pay it, for you are our only salvation.

Your knowledge of all the buzzwords and catchphrases prove that it must be so ...

If you do not have a budget plan, training plan, hiring plan, talent recruitment plan, and resource allocation plans for cyber security that goes forward 5 years or more looking towards...
Sorry to reply again to this, but I have to follow up on this. Are you seriously expecting a company of less than 10 employees to have these things in place for 5 years or more? Budget plan? Training plan? Hiring plan? Talent recruitment plan? Resource allocation plan? For cyber security 5 years or more into the future?

Even if we're talking about a big company with hundreds of thousands of $$ to dedicate to this, as has already been mentioned - with cyber security you don't know what's coming next week, let alone next year. 5 years into the future? You may as well be planning a mission to Alpha Centauri for the relevance it's going to have.

Sorry to reply again to this, but I have to follow up on this. Are you seriously expecting a company of less than 10 employees to have these things in place for 5 years or more? Budget plan? Training plan? Hiring plan? Talent recruitment plan? Resource allocation plan? For cyber security 5 years or more into the future?

Even if we're talking about a big company with hundreds of thousands of $$ to dedicate to this, as has already been mentioned - with cyber security you don't know what's coming next week, let alone next year. 5 years into the future? You may as well be planning a mission to Alpha Centauri for the relevance it's going to have.

To be honest I was going to say that the company structure he describes sounds pretty small. In the companies I used to work at budgets were handled by executives and accounting, training was handled by education, hiring and recruiting (basically the same thing listed twice) by human resources, software security by MIS, network security handled by network administration (software), network engineering (hardware), etc... the focus groups assigned to prepare for disasters, cyber intrusions, physical intrusions, etc., probably were each larger than the entire staff of Smiteworks.

The difference of course is the staff of Smiteworks have shown to be fairly computer savvy whereas a companies like the ones I'm talking about have a few hundred or even thousand savvy people and a couple hundred thousand 'users' spread across the globe that you could warn all day and they'll still click that email you just warned them about...

The difference of course is the staff of Smiteworks have shown to be fairly computer savvy whereas a companies like the ones I'm talking about have a few hundred or even thousand savvy people and a couple hundred thousand 'users' spread across the globe that you could warn all day and they'll still click that email you just warned them about...
That describes where I work, except there's not thousands of us and we're not spread across the globe. There is no protection from the guy who clicks the email. No training helps. That guy is unstoppable.

Training helps, but it doesn't stop everyone. No one thing does. Sometimes things look so good I almost fall for it. I do agree SmiteWorks is far more transparent than most companies.


Bukkyo If you reread the statement, you can SmiteWorks employs folks who's focus on the areas of concern you've brought up. I can understand some of the frustration. It sucks any of us have to worry about it.

I am certainly glad you are both not doing my cyber security LOL. If you do not have a budget plan, training plan, hiring plan, talent recruitment plan, and resource allocation plans for cyber security that goes forward 5 years or more looking towards the what ifs and trends of the field, you are going to fall behind. Goals and mile stones are huge. IN addition you could have said I don't know or said we have a plan that protects against this or that or even better pointed me in the direction of someone who may be able to. Lastly, briefs are for old people. Boxers ftw.

That sounds like someone who has read a couple of the IT Security course manuals (& perhaps, maybe, sat one of the exams) but as someone who has a Masters Degree in IT (Management & Security) as well as a slew of other IT qualifications (proof: check out my LinkedIn Profile and/or call the relevant Universities/Organisations and ask) I can tell you that that is not how the real world works - for small or large companies!

And that's one reason (but not the most relevant) why we have IT Security Issues reported in the news every week.

My comment still stands and I know your company and smiteworks isn't doing anything to help the matters at hand but the bare min. Thanks guys :) You all need to stop making excuses (waaah I only got 10 employees). You can close this thread because every time ya post some stupid nonsense I will come back here and comment. In addition, telling me to disconnect from the net..wow good on you brother and very professional. Glad the mods here are telling me to stop using the product they are representing. Good business plan hahahahaha. Thanks for taking the time to dodge my questions, attack my comments, and telling me to unplug from the net. I am so glad I purchased almost 3 grand worth of content from smiteworks or to be used with your software. Can't wait for a VTT that actually has support in place comes out. I for one will be jumping ship from this.

In addition, telling me to disconnect from the net..wow good on you brother and very professional. Glad the mods here are telling me to stop using the product they are representing. Good business plan hahahahaha. Thanks for taking the time to dodge my questions, attack my comments, and telling me to unplug from the net.
Reading comprehension and context went out the window there, didn't they. Just like a lot of what you're saying in this thread. Enjoy your little bubble of virtual unreality, I'm sure it's amazing!

If you want that info, become a investor. Contact Doug.

Thanks for taking the time to dodge my questions...
Your main question was already answered - see the post I linked you to, and others further stated that you're lucky to get that amount of information - the more security information a company gives out the more potential hackers know!

You weren't happy with the more than the norm details provided, so you relied on a public forum to demand further information and then go on about unrealistic far over the horizon planning.

I suggest that if you want a detailed answer from Smiteworks, that you don't go on and on in a public forum and send them an email at [email protected] instead of complaining about responses from the general public. I think you're just looking for a soap box to stand on...

I’m going to go ahead and close this thread. I think it has run its course.

We have already provided via the previously provided link what we are comfortable with sharing as a company.
https://www.fantasygrounds.com/forums/showthread.php?47942-Data-Breach-Gaming-Sites-Affected&p=426411&viewfull=1#post426411

Regards,
JPG