Data Breach, Gaming Sites Affected

**LordEntrails** · February 14th, 2019, 23:51

If you needed another reason to use unique passwords on each and every website, here's another; https://techcrunch.com/2019/02/14/hacker-strikes-again/

A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned.

**damned** · February 15th, 2019, 00:09

Roll20, a gaming site, had 4 million records listed

Ouch.

**LordEntrails** · February 15th, 2019, 01:08

What gets me is that according to that article is one/some of the websites (unspecified) stored the passwords in plaintext. That, imo, should be criminal. No wonder Europe has implemented the GDPR, I hope everyone else follows.

**LordEntrails** · February 15th, 2019, 01:23

Some interesting info, Under Armour announced the Breach March 29th of last year. https://www.uabiz.com/news-releases/...easeID=1062368

Anoimoto on July 10th; https://techcrunch.com/2018/08/20/an...location-data/

Houzz on Feb 4th; https://help.houzz.com/s/article/sec...language=en_US

px500 on Feb 13th and the breach was from July 2018; https://techcrunch.com/2018/08/20/an...location-data/

Coffee Meets Bagel and Roll20 just acknowledged it today; https://techcrunch.com/2019/02/14/ha...e-meets-bagel/ & https://app.roll20.net/forum/post/72...ecurity-breach

What I wonder, is why some of the sites knew about it before it was publically announced, and why others did not. I suspect that's because some do regular security audits and others don't. But, maybe someone more familiar with security can shed more light?

**damned** · February 15th, 2019, 01:27

the breaches are unlikely to have all happened on the same day.
and there is as you suggest a widely varying difference in businesses ability to detect these things...

**iotech** · February 15th, 2019, 03:46

Roll20's announcement to users:
https://app.roll20.net/forum/post/72...ecurity-breach

**ddavison** · February 15th, 2019, 15:47

Just some food for thought here and to ease people's minds:

Passwords are hashed in our system and we can't recover them, we can only reset/replace them
Our system stores emails, forum posts, blogs and purchase history.
Our system does not store any financial data for customers or customer addresses. Those are all offloaded to PayPal and don't enter our system at all. Even monthly subscriptions are billed directly from PayPal and not from our end.
Steam handles all payment, financial and other information for customers on Steam. We only get enough info to link a purchase to an account here.
We contract out to a firm to regularly review and patch our servers and we apply the latest forum software updates for the stable version we are working with
We maintain and archive server access and error logs that we periodically review with our outside contractor
We utilize Cloudflare as an extra layer of protection on top for protection against a wide array of attacks

I do encourage people to use different passwords for different sites.

**mattekure** · February 15th, 2019, 15:52

Thank you very much for the info, we all appreciate your efforts at keeping our info safe.

**LordEntrails** · February 15th, 2019, 17:17

Thanks for the info Doug. FYI, I wasn't fishing for a response from you, but do appreciate it!

**Andraax** · February 15th, 2019, 22:39

Originally Posted by ddavison

I do encourage people to use different passwords for different sites.

I recommend using LastPass or similar to manage your passwords.

Thread: Data Breach, Gaming Sites Affected

Thread Tools