Popular RPG Site 'Roll20' Allegedly Had 4 Million Users' Information Stolen

User information from over 4 million users of the popular roleplaying service Roll20 was recently posted to a dark web marketplace, the result of an apparent hack of the service's databases.

Yesterday, TechCrunch reported that Roll20 was one of eight services to have user information posted online, the result of an apparent security breach. The hacker reportedly responsible for the breach previously obtained user information from 620 million users from 16 websites last year. No financial information was obtained from the alleged Roll20 breach.

Roll20 is a popular "virtual tabletop" that allows players to play games like Dungeons & Dragons and Pathfinder online with friends. The service allows players to build characters and encounter and also serves as a digital marketplace, in which players can purchase official adventures and rulebooks to use in their Roll20 games.

"Earlier today, Roll20 was named in a report as one of several victims of an attack by malicious cybercriminals. We are currently working diligently to investigate the veracity of those claims," Roll20 responded via a blogpost.

"Our security teams work tirelessly to monitor, identify and fix potential weaknesses in our systems to prevent any attacks, and we take seriously our responsibility to safeguard our users’ personal information. Accordingly, Roll20 only maintains users’ name, email address, hashed password, last login IP and time of login, and the last 4 digits of users’ credit card."

Roll20 noted that all billing information is handled by parties like Stripe and PayPal, and that no billing infromation ever touched their servers. Password hashing is also encrypted in such a way that it can't be reverse-engineered for other sites or used to access Roll20.


"We work hard to ensure data breaches don’t happen, and we always plan ahead for worst-case scenarios," Roll20 noted. "That’s why we maintain strict limits on the amount of personal information available for exposure in such a breach."

As a security precaution, Roll20 logged all of its users of its site yesterday.